I've been doing a lot of reading on the forums and I can't seem to find exactly what I'm looking for.
We have a few situations where we have a single router that we want to make as highly available as possible. Due to connection limitations each device has the requirement that it is the only device that can have the outgoing connection. (It can be many different things.) We'll assume all the devices have two onboard ethernet ports.
Given those requirements it seems to me the best bet would be to utilize both ports and have them connected to different switches. The best way that I can see would be an etherchannel but that means the switches would have to be stacked or connected to a chassis based switch and that is not an option.
The second best option to me seems to be bridging the interfaces and let spanning tree do the work. I've seen posts that say this should not be used moving forward but to me it seems much nicer than having a bunch of very small networks and doing it at Layer 3.
I'm looking for some thoughts on this. If bridging shouldn't be used then why shouldn't it?
To understand, or not to understand your requirements, that is the question...
You've been very cryptic about your requirements, which makes it very difficult to assist you.
If you are seeking to isolate the devices at Layer 2, then take a look at Private VLANs.
If not, then you may wait for someone more insightful than me, or consider re-phrasing your requirements.
Sorry about that, I wasn't meaning to be cryptic, I just didn't want anyone to get caught up in the details.
Basically, we're going to be deploying a few 2800 series routers where we don't have the ability to put two in. If we could do that, it would be pretty easy. We just want to make sure that if a switch fails the router will stay active. We also want to do the same thing with a few VG224's.
I still am not sure that we have a good understanding of your requirements. But what you are describing would seem to be suited for Integrated Routing and Bridging. In IRB you configure bridging on both of the router Ethernet interfaces (no IP address on the physical interface), and you configure a virtual interface (BVI) which gets the IP address and is the gateway between the bridged environment and the routed environment. The router would have a single IP address shared by both Ethernet interfaces, all LAN devices would be in the same subnet and in the same broadcast domain. One router interface would be active and the other would be inactive due to Spanning Tree. If the active interface fails then Spanning Tree will allow the other interface to become active. The speed of failover in the interfaces will be controlled by the timers in Spanning Tree.
Most of us are not fond of solutions like this and would rather find some other solution. But based on how you describe your requirements then IRB may work for you.
Thank you for the response. I understand how to setup bridging, but my question is more of "what is the best option." Like you said, a lot of people aren't fond of this solution. I hear that, but no one has ever really said why. I've seen cases where two or three people will recoming irb but then someone else will say it isn't a good idea. I want to deploy these in the best way possible. I haven't really understood many of the layer 3 configs I've seen but there haven't been many suggested that I could find.
The VG224 is a good example. I would like it to exist in our Voice VLAN but I can't think of any way for this to work between switches other than irb. If someone had another solution, I would love to hear it.
Another solution that comes to mind, since you mention using 2800s, would be usage of one of the various Ethernet modules with a SVI. Logically, very much the same spanning the local VLAN approach but with "hardware" rather than with IRB's "software". However, beside the additional cost of the Ethernet module, don't see where it really offers much additional benefit beyond the additional ports which contribute little considering the performance of a 2800.
As to why many are so reluctant with the IRB solution, it might be because it seems a L2 solution when using a L3 device. (E.g. "But it's bridging when you should be routing.") However, assuming the Ethernet module with SVI is acceptable to most engineers to avoid the router having a connection to one single point of failure switch, I don't see why the IRB approach should be shunned. Besides hoping for someone to offer another solution, one might ask those uncomfortable with the idea, what is your specific concern against using IRB for this type of solution?
Joseph may have a point that some of our reaction is the "why bridge on a router" issue (and I admit that I believe that a router port is a pretty expensive way to do bridging). But I think that there is more to it than just that. For one thing with IRB the convergence when there is a failure is at the speed of Spanning Tree timers and is way slower than the convergence with modern routing protocols. Also it reflects aversion to asking the router to learn and track MAC addresses and to do layer 2 forwarding, which are functions that are performed more efficiently on a switch.
But let me say that while I can produce several viewpoints in which routing is better than bridging, when there is not much routing to do at the remote site, then IRB may be an acceptable solution.
While our understanding of the environment and of the requirements is quite incomplete, I have gone back to the original post and thought about your request that the router be as highly available as possible. I would suggest this as a more optimum solution then IRB (assuming that the switches are capable of it):
- configure several vlans on each switch and assign ports to vlans as appropriate.
- configure trunks between the switches to carry traffic for all vlans.
- assuming that the switches are layer 3 switches, configure inter-vlan routing on each switch (and possibly configure HSRP on the switch SVIs).
- configure a port on each switch as a routed port to a router interface and run a routing protocol over these routed links.
This would be a solution that would converge more quickly and efficiently and would deal with various failure modes more effectively than IRB would do.
If that solution is not possible (it is dependent on the switches being layer 3 capable switches) then I like the suggestion from Joseph of putting an Ethernet module in the 2800. You might be able to trunk from each switch to the Ethernet module or perhaps to have access ports in the Ethernet module connect to each switch for each vlan.
So basically the requirement is for 1 router (voice gateway) to be connected to 2 different swithes?
Why not keep is simple and use the command "backup interface"?
Just configure Fa0/0 and Fa0/1 completly alike, and then issue the command "backup interface FastEthernet0/1" on Fa0/0. Now connect Fa0/1 to the backup switch.
To verify write "sh backup".
Thank you for the idea but it wouldn't work with the vg224 and I'd like to be able to keep the configuration the same as much as possible.
I've seen suggestions like this before but I have always been unsure how to implement it. It seems like it would be very messy to do it like that but I don't really know.
That worked great for the router! It switched over much faster than the bridge interface did. The VG224 doesn't seem to support that command... bummer!
Well I knew it would work on the router.
But that it didn't work on the VG224 made me think, why does the VG224 come with 2 Ethernet interfaces if you can only use one?
The way I understand the VG224 is that it works like a router, meaning the intefaces are layer 3 interfaces not layer 2 ports, right?
That is correct, they are layer 3 interfaces. I was really exited until I went to enter the command and got an error!
The vg224 did take the bridge commands.
If I have to have a seperate config for devices that is fine. The backup interface command has worked very well so far!