I have a particular problem where a data center is only providing 1 single routable IP. We are deploying 2 871 routers which will help us monitor the linux servers located on the inside (10.10.10.0/24).
thank you for your help
Our main goal is monitoring 24/7 and we are assuming that one of the routers might die, so when this happens, we will continue monitoring all the linux servers using the second 871 router.
We are using GLBP on the inside interfaces of the routers and we've given the virtual IP to all internal hosts so they can use it as their default gateway. So far GLBP looks like it is doing their job, however, on the outside, the Data Center has plugged the outside interfaces of the 2 routers to their L-2 switch. They told us our IP is 126.96.36.199 and our default gateway to the internet is 188.8.131.52.
How do I accomplished redundancy on the outside interfaces as I can't use HSRP anymore because I have only been given 1 IP and I beleive I need at least 3 IPs for HSRP (same for GLBP).
any possible ways to get this accomplished?
The network 10.10.10.0/24 will be monitored from another company located miles away and we will be using IPSec tunnel to reach to the 10.10.10.0 network.
Can I use the only IP that the Data center gave us on the outside interface of the 2 routers? and then put one as stand-by and the other active?
I found the same configuration as an example of a MAC spoofing DoS attack on a L2 switch in my security book, CCIE Professional Development Series Network Security Technologies and Solutions.
Here is a definition of the CAM table that I took from CCO.
CAM-All Catalyst switch models use a CAM table for Layer 2 switching. As frames arrive on switch ports, the source MAC addresses are learned and recorded in the CAM table. The port of arrival and the VLAN are both recorded in the table, along with a timestamp. If a MAC address learned on one switch port has moved to a different port, the MAC address and timestamp are recorded for the most recent arrival port. Then, the previous entry is deleted. If a MAC address is found already present in the table for the correct arrival port, only its timestamp is updated.
With respect to your question of why can you get to the remote host but lose connectivity to the routers via telnet? I think it's because you have two valid paths to the internal host with transparent failover, where your path to the interface on each router is lost when the CAM table is updated to point to the switchport of the other router. I don't believe it is related to responsiveness of the routers.
What I don't understand is why your ISP cannot give you a /29 to resolve all of this. Your need for additional addresses is a critical business requirement. If it is a cost issue, you could explain to your management that the benefit of deploying two 871s is lost if you cannot obtain enough public addresses to support a failover design.