Implementing HSRP in a multi-VRF environment

Answered Question
Jan 4th, 2014
User Badges:

Hi Folks,


I am new to VRF Lite but have recently implemented multiple VRFs on a single CPE (Customer Premises Equipment) router.


I have also implemented a two-CPE redundancy using Cisco HSRP protocol but with a single VRF.


Now, I would like to expand my design by using HSRP with multiple VRFs. The problem here isn't the VRF implementation, but how to implement HSRP with multiple VRFs.  The scope of this query is on the Customer Premises Equipment (CPE).


Thanks.


Gbehode

Correct Answer by Rolf Fischer about 3 years 7 months ago

Just playing devil advocate, but if the  scenario is to use the same LAN subnet for for multiple VRFs, will it be  technically possible to use the same HSRP VIP for the various HSRP  groups under different VRFs?



As a given IP subnet can (locally) only belong to exactly one VRF (or the global context), those subnets have to be distinguished somehow on common links, e.g. by VLAN-tags on trunk links. The (non-default VLAN) HSRP messages then are tagged too, so their membership is clear, even if you use the same IP addresses multiple times (in different VRFs).


HTH

Rolf

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Rolf Fischer Sat, 01/04/2014 - 02:26
User Badges:
  • Blue, 1500 points or more

Hi,


I'm not sure if I understand the question correctly.

When using differnt VRFs, the only difference in the configuration is that the layer-3 interfaces have to be assigned to the corresponing VRF. The scope of the HSRP hellos is the local subnet, so the hellos will be assigned to the VRF of the receiving (sub-)interface/SVI. For the sake of consitency you could use different HSRP groups (affect the virtual MAC address).

An example:


CE1:

interface FastEthernet0/0

! global routing context

ip address 192.168.1.2 255.255.255.0

standby 1 ip 192.168.1.1

standby 1 preempt

!

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip vrf forwarding VRF-2

ip address 192.168.2.2 255.255.255.0

standby 2 ip 192.168.2.1

standby 2 preempt

!

interface FastEthernet0/0.3

encapsulation dot1Q 3

ip vrf forwarding VRF-3

ip address 192.168.3.2 255.255.255.0

standby 3 ip 192.168.3.1

standby 3 preempt


CE2:

interface FastEthernet0/0

ip address 192.168.1.3 255.255.255.0

standby 1 ip 192.168.1.1

standby 1 priority 90

!

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip vrf forwarding VRF-2

ip address 192.168.2.3 255.255.255.0

standby 2 ip 192.168.2.1

standby 2 priority 90

!

interface FastEthernet0/0.3

encapsulation dot1Q 3

ip vrf forwarding VRF-3

ip address 192.168.3.3 255.255.255.0

standby 3 ip 192.168.3.1

standby 3 priority 90


CE1#show standby brief

                     P indicates configured to preempt.

                     |

Interface   Grp Prio P State    Active          Standby         Virtual IP

Fa0/0       1   100  P Active   local           192.168.1.3     192.168.1.1

Fa0/0.2     2   100  P Active   local           192.168.2.3     192.168.2.1

Fa0/0.3     3   100  P Active   local           192.168.3.3     192.168.3.1


CE1#show ip vrf interfaces

Interface              IP-Address      VRF                              Protocol

Fa0/0.2                192.168.2.2     VRF-2                            up    

Fa0/0.3                192.168.3.2     VRF-3                            up



HTH

Rolf

richardkoudry Sat, 01/04/2014 - 03:57
User Badges:

Hi Rolf,


This does help. Thanks for the sample config that I am going to try on GNS3.


I guess the concept is not to use the same HSRP group. I also see that you have used different LAN subnet which is what needs to be done traditionally. As you know, in a VRF environment, it is possible to re-use the same subnet/IP so long as they belong to different VRFs.


Just playing devil advocate, but if the scenario is to use the same LAN subnet for for multiple VRFs, will it be technically possible to use the same HSRP VIP for the various HSRP groups under different VRFs? I don't know why anyone would want to do something like this but I am trying to think ahead in case my customer has only one LAN subnet that they are intending to use for all VRFs. The ideal situation would be to break the LAN subnet down into various chunks, but you never know.


thanks.


Gbehode

Correct Answer
Rolf Fischer Sat, 01/04/2014 - 04:28
User Badges:
  • Blue, 1500 points or more

Just playing devil advocate, but if the  scenario is to use the same LAN subnet for for multiple VRFs, will it be  technically possible to use the same HSRP VIP for the various HSRP  groups under different VRFs?



As a given IP subnet can (locally) only belong to exactly one VRF (or the global context), those subnets have to be distinguished somehow on common links, e.g. by VLAN-tags on trunk links. The (non-default VLAN) HSRP messages then are tagged too, so their membership is clear, even if you use the same IP addresses multiple times (in different VRFs).


HTH

Rolf

richardkoudry Tue, 01/07/2014 - 03:03
User Badges:

Hi Rolf,


I have built a GNS3 model based on different LAN subnet per VRF and having an HSRP group per VRF. This appears to be working correctly, at least from HSRP point of view.


I am going to modify the GNS3 model to use same LAN subnet to see if and how it works. I don't see a problem since each LAN sub-interface will have a different VLAN tag and will be encapsulated / shielded in a separate VRF. I will post further updates on this.


The other challenge is to get this to work with dynamic routing protocols like OSPF or BGP but that is  totally different subjet.


Thanks.


Gbehode

richardkoudry Tue, 01/21/2014 - 01:58
User Badges:

Hi Rolf,


Just to sum up this query ...


The Multiple HSRP (M-HSRP) can be used in a multi-VRF environment to achieve redundancy on the CPE side. I have tested this with different LAN subnets and the same LAN subnets with the help of VRF. This works fine.


thanks.

Actions

This Discussion

Related Content