HSRP with multiple subnets (Vlans)

Hi

how can we configure two redundent HSRP routers to be gateways for multiple subnets (Vlans).

at the same time, those subnets should be isolated. no vlans can talk to each other.

 

basic pictire for illustration

image

regards,

 

Comments

  • VLANs cant talk to each other at Layer-2 unless they go through a router. VRFs provide total isolation.

    Regards,

    Amit.

  • Hi Oud,

    Before answering you, please provide these answers:

    - are your 2 routers WAN routers (are there others Link on these routers ?) or all communications are locally only ?

    - can you add a L3 link between the 2 routers ?

    - is there a firewall connected to the 2 routers ?

    With these answers, I can try to give you some cloud.

    Regards,

    kalmogo

    Become an Expert by helping others to become experts.

     

     

  • Yes, I presume that the routers support VRFs.

  • hi kalmogo

    thanks for reply

    I have INE CCIE R&S Lab

     

     

     

  • hi kalmogo

    thanks for reply

    I have INE CCIE R&S Lab

     

     

    Okay so it's a INE Lab ? Not a real environnement ?

     

  • yes actually

    is this the wrong place ?

     

  • It's the right place, but it would be helpful if you would say which particular lab you're working on.

    VRFs and/or ACLs are the answer.

  • Agree with Northlandboy,

    If you give the source of  INE's Lab, no doubt that someone within this community has already done this Lab and can help you anyway.

    Regards,

    kalmogo

    Become an expert by helping others to become Experts.

  • how can we configure two redundent HSRP routers to be gateways for multiple subnets (Vlans).

    at the same time, those subnets should be isolated. no vlans can talk to each other.

     

    It seems that your scenario leads to PVLAN 50 as primary and the rest as community PVLAN and then uses HSRP with secondary addresses on the routers to support multiple subnets.

  •  

    It seems that your scenario leads to PVLAN 50 as primary and the rest as community PVLAN and then uses HSRP with secondary addresses on the routers to support multiple subnets.

    I agree with Alex here that PVLAN seems to be the right choice. But please provide more info on which lab are you working on, so we can better assist you.

  • To make working there can be different kind of solutions but if you are doing the lab, you need to focus on technology and task-what task actually asking for. Could you share the LAB info?

     

    Good Luck with your studies!

  • dear all

    thanks for reply

    in fact I ment lab (Hardware purchased from ebay). which is similar to INE CCIE Hardware Lab.

    and this question came in mind while my preperation.

     

  • dear all

    thanks for reply

    in fact I ment lab (Hardware purchased from ebay). which is similar to INE CCIE Hardware Lab.

    and this question came in mind while my preperation.

    Thanks for the clarification.

    As the community mentioned the bests ressources are INE. Particularery you have to pay attention with the ressouces bought in E-bay.

    Because everyone can self-declared the best trainers for CCIE... and this can lead you to waste your time and money.

     

    Personnaly, I see the scenario bad (if itsn't private VLANs or VRFs scenario and if the routers aren't Switch/Routeur).

    So don't wast your time and money.. INE is the prouven and the best for US (me and you).

    Regards,

    kalmogo

    Become an Expert by helping others to become Experts.

  • and this question came in mind while my preperation.

    You are doing good ;) 

    But don't forget that you need to learn to ask the right question [Y]

    Read this: http://www.himawan.nu/2006/02/how-to-become-ccie.html and look for item no. 8

    Good luck for your study! 

  • dear kalmogo

    if you are working in service provider company.

    and you want to create a redundent gateway for the customers.

    at the same time you do not customers network talk to each other.

    what will you do ?

  • Yes you are right.

    I think I'll chose VRFs each customer has its own VRFs, own Vlan and his own gateway .

    The scenario isn't well presented and their is no continuity of client's vlan to the router. While with VRFs you have to configure trunk and allow the 3 customers vlans on the routers. The vlan 50 is L3 for redundancy.

    Regards,

    kalmogo

    Become an Expert by helping others become Experts.

  • An order point (as you speack about redundancy) is to add:

    - a second switch interconnected to the existing with an etherchannel for full redundancy.

    - a L3 inteconnection between the 2 routers for WAN side

    - A Link (TenGig) to the WAN side for each routeur

     

    Unfortunately I don't have visio on my PC but if you can draw the diagram with my suggests, I can try to give you the confs.

    Regards,

    kalmogo

    Become an Expert by helpingother to become Experts.

  • But don't forget that you need to learn to ask the right question Yes

    Read this: http://www.himawan.nu/2006/02/how-to-become-ccie.html and look for item no. 8

     

     

    Thanks for this good link.

  • peetypeety ✭✭

    dear kalmogo

    Please don't direct questions to individuals.  It's a public forum.  If you want to ask someone a question, email them.

    if you are working in service provider company.

    and you want to create a redundent gateway for the customers.

    at the same time you do not customers network talk to each other.

    what will you do ?

    If I'm working at a service provider company, I'm setting up the network to provide a service, and that service is to move bits.  As such, if the customers want a redundant gateway, I put together two options:

    Option 1, for those customers who do not intend to deploy a router with networks behind it: Two gateway routers serving a common subnet towards the customer, and providing first hop redundancy via HSRP.

    Option 2, for those customers who do intend to deploy a router: two gateway routers with separate /31 or /30 subnets to the customer's router, and BGP routing with the customer's router for redundancy and/or load-splitting.

    If the customers don't want anyone to talk to them, either they should put an ASA firewall on option 1, put ACLs or CBAC on the router in option 2, or put an ASA downstream of the router in option 2.

    If the customers want me as the service provider to protect them, I'll sell them a managed firewall solution with an ASA (or redundant ASA pair) downstream of option 1.

    Let's face it: if you're a service provider, networks are connecting to the Internet to get to the Internet. They should protect themselves from the "customer next door" the same as they protect themselves from the network halfway around the world.

  •  

    If the customers don't want anyone to talk to them, either they should put an ASA firewall on option 1, put ACLs or CBAC on the router in option 2, or put an ASA downstream of the router in option 2.

     

    Yes, during my written Exam I faced this option:

    - 1,put ACLs combine with outbound CBAC ( verify source via rx for 1 ISP and verify source via any for 2 ISP).

    Good,

    Thanks for sharing your experience.

    Regards,

    kalmogo

    Become an Expert by helping others to become Experts.

     

     

Sign In or Register to comment.