Single Internet Connection but HA Infrastructure – Using bridging instead of routing

Single Internet Connection but HA Infrastructure – Using bridging instead of routing

Introduction – The Design Constraint

The customer had decided to build a hosting platform, but could only arrange for a single internet connection to that site due to location. However, all other hardware was duplicated for high availability. After considering the options the following diagram was prepared showing the first pass at the design. This was the Internet Connection (100Mb Ethernet) connected to the router, then connected to a switch, which was interconnected by trunk to a second switch. The first layer of firewalls is then connected.

In this design, the router and the first switch are single points of failure as shown on the diagram

oneleginternetbefore.png

Solution

After some consideration, this design could be improved if the router was connected to both switches. This can be done by creating a bridge interface in the router and using spanning tree to detect and change the topology in the event of an outage. So the design is changed to the following:

oneleginternetafter.png

Using VRF Lite for Internet to separate the Management / Control Plane

After considering the security and the operational management, it was decided that having the control plane of the Internet facing router possibly accessible from the Internet was not an acceptable risk. This risk could be mitigated by using VRF Lite to separate the internet routing from the management routing.

The configuration shown below is the sample configuration for this configuration:


!
ip vrf Internet
rd 100:101
!Create the VRF for the Internet traffic
!
bridge irb
!Enable the bridging software for IOS
!
interface GigabitEthernet0/0
description to Internet Provider network next hop 198.18.200.2
ip vrf forwarding Internet
!assign the external interface to the VRF
ip address 198.18.200.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description to the left side switch
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.100
description Internet connection
encapsulation dot1Q 100
bridge-group 1
!
interface GigabitEthernet0/1.2000
description Management connection
encapsulation dot1Q 2000
bridge-group 2
!
interface GigabitEthernet0/2
desc to the right side switch
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2.100
description Internet connection
encapsulation dot1Q 100
bridge-group 1
!
interface GigabitEthernet0/2.2000
description Management Connection
encapsulation dot1Q 2000
bridge-group 2
!
interface BVI1
description BVI for internal Internet network
ip vrf forwarding Internet
ip address 198.18.10.1 255.255.255.128
!
interface BVI2
description BVI for Mgmt
ip address 192.168.254.1 255.255.255.224
!
!
ip route 0.0.0.0 0.0.0.0 192.168.254.31
!set the route for device management
ip route vrf Internet 0.0.0.0 0.0.0.0 198.18.200.2
!set the default route for the service provider
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!enable the bridging protocols for both the Internet and management connections

Conclusion

The solution has been working well. A recent switch upgrade process meant that no outages were involved. This was a reasonably simple configuration change that has substantially improved the operation of the network. The Security were most pleased with the control plane separation.

This entry was posted in Cisco. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s