Introduction – The Design Constraint
The customer had decided to build a hosting platform, but could only arrange for a single internet connection to that site due to location. However, all other hardware was duplicated for high availability. After considering the options the following diagram was prepared showing the first pass at the design. This was the Internet Connection (100Mb Ethernet) connected to the router, then connected to a switch, which was interconnected by trunk to a second switch. The first layer of firewalls is then connected.
In this design, the router and the first switch are single points of failure as shown on the diagram
After some consideration, this design could be improved if the router was connected to both switches. This can be done by creating a bridge interface in the router and using spanning tree to detect and change the topology in the event of an outage. So the design is changed to the following
Using VRF Lite for Internet to separate the Management / Control Plane
After considering the security and the operational management, it was decided that having the control plane of the Internet facing router possibly accessible from the Internet was not an acceptable risk. This risk could be mitigated by using VRF Lite to separate the internet routing from the management routing.
The configuration shown below is the sample configuration for this configuration:
!
ip vrf Internet
rd 100:101
!Create the VRF for the Internet traffic
!
bridge irb
!Enable the bridging software for IOS
!
interface GigabitEthernet0/0
description to Internet Provider network next hop 198.18.200.2
ip vrf forwarding Internet
!assign the external interface to the VRF
ip address 198.18.200.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description to the left side switch
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.100
description Internet connection
encapsulation dot1Q 100
bridge-group 1
!
interface GigabitEthernet0/1.2000
description Management connection
encapsulation dot1Q 2000
bridge-group 2
!
interface GigabitEthernet0/2
desc to the right side switch
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2.100
description Internet connection
encapsulation dot1Q 100
bridge-group 1
!
interface GigabitEthernet0/2.2000
description Management Connection
encapsulation dot1Q 2000
bridge-group 2
!
interface BVI1
description BVI for internal Internet network
ip vrf forwarding Internet
ip address 198.18.10.1 255.255.255.128
!
interface BVI2
description BVI for Mgmt
ip address 192.168.254.1 255.255.255.224
!
!
ip route 0.0.0.0 0.0.0.0 192.168.254.31
!set the route for device management
ip route vrf Internet 0.0.0.0 0.0.0.0 198.18.200.2
!set the default route for the service provider
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!enable the bridging protocols for both the Internet and management connections
Conclusion :
The solution has been working well. A recent switch upgrade process meant that no outages were involved. This was a reasonably simple configuration change that has substantially improved the operation of the network. The Security were most pleased with the control plane separation.