Got it
Huawei Enterprise Support Community
Community Forums Security
Conserve public IPv4 addr...

Conserve public IPv4 address space in gateway failover (VRRP without interface I

Latest reply: Aug 3, 2016 08:18:49 2675 3 0 0 0
View the author 1#

Are there some tricks to achieve redundancy without wasting two extra public IP addresses with VRRP? (Gateway needs to be on USG)

I've tried to trick VRRP by assigning interface IP address from private IP address pool and public service IP address as VRRP virtual IP address.

While that actually may work, the problem is that the route is not propagated into OSPF no matter what I do (I tried to define NULL route for that subnet).

Other vendors have the ability to define only VRRP virtual IP address without interface IP address. Does Huawei USG have anything similar?

197.92.144.0/30 is only example, not realted public ip address space.

Here is experimental configuration (that doesn't propagate the interface subnet route to OSPF process) - OSPF is working well for every other "normally configured" subnet.

interface Eth-Trunk0.5
 vlan-type dot1q 500
 alias vlan500
 ip address 10.255.144.1 255.255.255.252
 vrrp vrid 5 virtual-ip 197.92.144.1 255.255.255.252 active

ip route-static 197.92.144.0 255.255.255.252 NULL 0

ospf 1 router-id 10.200.0.21
  import-route static cost 1 type 2
  bandwidth-reference 80000
.. output ommited ..
  area 0.0.0.0
     network 197.92.144.0 0.0.0.3
    .. output ommited ..

Topology:

Conserve public IPv4 address space in gateway failover (VRRP without interface I-1043335-1

Like (0) Dislike (0) Favorite(0) Share Report
Previous: How to change username and password in Standby firewall?
Next: AntiDDoS Identifying Fault Information
(0) (0)
2#
user_2790689
Created Jan 22, 2016 07:33:39

Waiting for expert to slove this problme.
View more
  • x
  • convention:
(0) (0)
3#
0x516E
Created Mar 4, 2016 05:47:49

for inbound direction, configure private addresses for real address, and the only one public address for virtual address.

for outbound direction, configure nat address-group and nat policy to apply this nat address-group as the translated address, ensure the source addresses translate to public address. (do not use easy-ip or it will be  translated to private address) 

if you have any other questions pls let me know.
View more
  • x
  • convention:
(0) (0)
4#
mgrabar
Created Jul 29, 2016 22:49:11

Reply 3 #

Nice idea, I think it's the only working and valid solution since my idea of VRRP implementation is a bit out of standard VRRP specification.
Some vendors allows to run VRRP without physical IP address with only virtual one (like Vyatta) or to do messy stuff like using one subnet for physical addresses and then another subnet for virtual address (Mikrotik) 

Only problem with NAT here is complexty - easy to setup but difficult to trobuleshoot.

I cannot run stuff in production that noone later will understand :)

Thanks for posting your solution, I consider this issue closed.

Keep up the good work!
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.