Community discussions

 
operat0r
newbie
Topic Author
Posts: 32
Joined: Mon May 29, 2017 9:18 pm

Vlans + VRRP + Multiple Public IP addresses

Mon Feb 18, 2019 2:41 pm

Hello,

I'm trying to setup a big network and I just want to find the best possible design to implement it.
Here are the prerequisites .

I have multiple Public IP addresses. Let's say subnets 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24.
I need complete isolation between clients so VLANs is a must .
Need redundancy so VRRP is a must also.

Here's what we have now.

2x ISP's with BGP full routing tables on two mikrotik CCR1072 .
So best case its an active-active scenario ( or active - backup ).

So this is what I want:

1) Same networks are advertised through BGP on both routers ( I have allready setup this and it is working ).
2) VRRP in case one router fails , the other one should start forwarding traffic instead. This is setup partially. What I mean is that since I have multiple subnets I have setup many VRRP interfaces on the internal facing ports. The problem here is that I lose 3 IPs per subnet due to VRRP, and VRRP traffic is being broadcasted on the subnets which in turn can be seen on clients traffic.
3) I have not found a proper way to implement vlans on such a big margin.
Lets say I have many clients (200 clients at the same time) , then I need to setup 200 vlan interfaces ( which I cannot create like a bulk, and I need to create them one by one ), then how could I setup vlan and VRRP on multiple vlans effectively, to have complete isolation?

I hope I've been thorough enough with my explanation.

And some configurations already implemented (this is a sample to help understand my situation).

/interface vrrp
add authentication=ah interface=sfp-sfpplus2 name=X.X.X.0/28 password=XXXXX priority=50 version=2
add authentication=ah interface=sfp-sfpplus2 name=X.X.X.128/25 password=XXXXX priority=50 version=2 vrid=5
add authentication=ah interface=sfp-sfpplus2 name=X.X.X.16/28 password=XXXXXX priority=50 version=2 vrid=2
add authentication=ah interface=sfp-sfpplus2 name=X.X.X.32/27 password=XXXXXXX priority=50 version=2 vrid=3
add authentication=ah interface=sfp-sfpplus2 name=X.X.X.64/26 password=XXXXXXX priority=50 version=2 vrid=4
add authentication=ah interface=sfp-sfpplus2 name=1.X.X.0/26 password=XXXXXXXX priority=50 version=2 vrid=10
add authentication=ah interface=sfp-sfpplus2 name=1.X.X.128/25 password=XXXXXXX priority=50 version=2 vrid=12
add authentication=ah interface=sfp-sfpplus2 name=1.X.X.64/26 password=XXXXXXX priority=50 version=2 vrid=11
add authentication=ah interface=sfp-sfpplus4 name=2.X.X.0/24 password=XXXXXXX priority=50 version=2 vrid=6
add authentication=ah interface=sfp-sfpplus2 name=3.X.X.0/24 password=XXXXXXX priority=50 version=2 vrid=14
add authentication=ah interface=sfp-sfpplus4 name=4.X.X.0/26 password=XXXXXXX priority=50 version=2 vrid=15
add authentication=ah interface=sfp-sfpplus4 name=4.X.X.128/25 password=XXXXXXX priority=50 version=2 vrid=17
add authentication=ah interface=sfp-sfpplus4 name=4.X.X.64/26 password=XXXXXXX priority=50 version=2 vrid=16

/ip address
add address=X.X.X.30 interface=X.X.X.X/28 network=X.X.X.X
add address=X.X.X.60/27 comment=X.X.X.32/27 interface=sfp-sfpplus2 network=X.X.X..32
.
.
.

I have read in another post in the forum, that for best results, I've better to add only one VRRP between direct connection on the two routers, and setup an up/down script for bringing interfaces up or down.

I would really appreciate any recommendations.

Best Regards,
Panagiotis Botos
Panagiotis Botos
Networking Engineer
 
idlemind
Forum Guru
Forum Guru
Posts: 1101
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Vlans + VRRP + Multiple Public IP addresses

Tue Feb 19, 2019 9:01 am

The up/down method is a bit hacky.

You can run VRRP for multiple networks but it seems you're running all of the instances on the same underlying interface. You should run it on the layer 3 interfaces that actually forward the traffic. Likely based on your post this should be the VLAN interfaces with the shared IP assigned to the VRRP interface as a /32.

The creation of all of this can be scripted and the code can be generated with a short script in the language of your own preference.
 
operat0r
newbie
Topic Author
Posts: 32
Joined: Mon May 29, 2017 9:18 pm

Re: Vlans + VRRP + Multiple Public IP addresses

Wed Feb 27, 2019 2:13 pm

I'm running the VRRP on the same interface as all customers are assigned on this interface.

VRRP-interface <-> Cisco Switch <-> Proxmox Cluster Server .

The issue with "this should be the VLAN interfaces with the shared IP assigned to the VRRP interface as a /32" is that, I have several /24's prefixes cut down to /25 /26 /27.
Customers that have a vlan lets say one in vlan 100 and one in vlan 101 on the same prefix /24 , how would communicate with VRRP gateway ? Can the vrrp gateway be a member of multiple vlans? and if so how ?
Panagiotis Botos
Networking Engineer
 
christopherh
newbie
Posts: 29
Joined: Sun Feb 24, 2019 7:43 am
Location: Sydney, Australia

Re: Vlans + VRRP + Multiple Public IP addresses

Wed Feb 27, 2019 2:25 pm

For what it's worth, I'm not sure about this statement:
lose 3 IPs per subnet due to VRRP
I have the one floating IP running on a VRRP config between two CHRs and it works flawlessly for me.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5913
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Vlans + VRRP + Multiple Public IP addresses

Thu Feb 28, 2019 10:32 am

You should set up one VRRP per physical interface.

Regarding loosing 3 IPs per subnet, not correct, you will loose only 2 IPs on a subnet that is running VRRP on IPv4. Or set up VRRP v3 on IPv6 an don't loose any IPs.
 
christopherh
newbie
Posts: 29
Joined: Sun Feb 24, 2019 7:43 am
Location: Sydney, Australia

Re: Vlans + VRRP + Multiple Public IP addresses

Thu Feb 28, 2019 4:40 pm

you will loose only 2 IPs on a subnet that is running VRRP on IPv4.
How is it possible that I have it working with only using the one IP address? I have .254 configured on both routers as the IP on the VRRP interface, and the physical interface has no IPs configured.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5913
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Vlans + VRRP + Multiple Public IP addresses

Thu Feb 28, 2019 6:07 pm

VRRP cannot work without IP on physical interface unless it is VRRP v3 IPv6
 
bbs2web
Member Candidate
Member Candidate
Posts: 197
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: Vlans + VRRP + Multiple Public IP addresses

Sat Mar 02, 2019 7:35 am

The VRRP parent interfaces also don't need to match the subnet of IPs attached to the VRRP interfaces. Documentation and training will always show them being in the same subnet but you can run /30 or even /31 on VRRP interfaces.

Clients often want redundant links and infrastructure and therefore assume that we need to grow routing subnets to /29. The following sample topology shows a simulation where a single IP is shared between two routers, using 10.255.255.0/29 on the VRRP parent interfaces (could also be /30):
Image

Service Provider simulation with /31:
/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
/ip address
add address=196.25.20.1 interface=bridge network=196.25.20.35
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether3
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether3


R1:
/interface vrrp
add interface=ether1 name=vrrp1 priority=254
/ip address
add address=10.255.255.1/29 interface=ether1
add address=196.25.20.35 interface=vrrp1 network=196.25.20.1
/ip route
add distance=1 gateway=196.25.20.1


R2:
/interface vrrp
add interface=ether1 name=vrrp1
/ip address
add address=10.255.255.2/29 interface=ether1
add address=196.25.20.35 interface=vrrp1 network=196.25.20.1
/ip route
add distance=1 gateway=196.25.20.1
 
bbs2web
Member Candidate
Member Candidate
Posts: 197
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: Vlans + VRRP + Multiple Public IP addresses

Sat Mar 02, 2019 7:44 am

Operat0r:
You may want to search these forums for the MikroTik high availability script solution, where a single VRRP interface is used to track router master status and configurations are automatically transferred between them. It generally requires switches to be used to provide uplink to both routers via VLANs but we have numerous routers setup to work like this with excellent result.

Not trivial as you really should read the resulting scripts to know how they work.

https://github.com/svlsResearch/ha-mikrotik
 
operat0r
newbie
Topic Author
Posts: 32
Joined: Mon May 29, 2017 9:18 pm

Re: Vlans + VRRP + Multiple Public IP addresses

Thu Mar 14, 2019 7:23 pm

Thank you all for your replies.
I will check on this and provide feedback, on what implementation worked for me.
Panagiotis Botos
Networking Engineer

Who is online

Users browsing this forum: No registered users and 5 guests