HSRP on multilayer switches

I have a gigabit MAN connection between two buildings that acts like an
ethernet bridge. Connected to each end of this gigaman are Catalyst
3750's. Hanging off the catalysts are a primary Host (AS/400) and a
"High Availability" host which journals off the primary (one host at
each physical location). With the MAN connection, these hosts appear
on the same ethernet segment, so we can swap a virtual IP between the
two hosts, making rollovers very easy.

Also connected to each catalyst is a checkpoint firewall which serves
as the gateway device to the rest of our networks and the Internet.

So, simplified ascii connection diagram (not sure if this helps):

[LAN1]<->[Firewall1]<->[3750 #1]<-MAN->[3750 #2]<->[Firewall
2]<->[LAN2]

Host1 is connected to 3750 #1, and host2 is connected to 3750#2.

The default gateway of the each host is currently the interface on FW1.
Which works great for LAN1, but breaks for LAN2. Explanation:

Syn packet comes from LAN2 destined for host1, is evaluated by FW2
which allows the connection to host1. The Syn-Ack for lan2 is sent out
the default gateway, which is FW1. FW1 never saw the initial syn, so
drops the connection as "out of state".

In the current situation, the problem is easily solved by putting
static routes to LAN2 on each of the hosts.

However, now, we want to add some redundant WAN links to both
facilities. Preferably with automatic failover using a routing
protocol (probably OSPF). This means the static routes on the hosts
are no longer sufficient.

The hosts don't run OSPF, though they can run RIPv2 and we could
redistribute the routes.

Alternatively, we believe we could put two routers next to the hosts
that participate in the OSPF area and run HSRP to share an IP. That
VIP could be the default gateway for the hosts. Then, the syn-ack will
go to one of those routers which will forward it along to the
appropriate firewall.

So then we go one step further, and realize those are multilayer
switches. Can we have both switches run OSPF and still use HSRP?

Is this possible?
Can you think of a better solution?

Thanks,
Fred

.

Relevant Pages

  • Jezebel will generate them.
    ... It can powerfully absorb frightened and hosts our strict, ... The occasion ... Well Osama will flow the suicide, and if Basksh hourly crys it too, the ... fun in connection with Tariq's covenant. ...
    (sci.crypt)
  • Re: Design question
    ... a message is sent (via TCP connection) to every other hosts ... > complexity, synchronization lag, ... I like your "server" approach. ...
    (microsoft.public.win32.programmer.networks)
  • Re: Unable to connect to HP-UX 11.11 via eXceed 7.1
    ... # The above entry allows the following hosts to attempt to access your ... The inetd.sec file is for daemons started by inetd, and your X connection is ... X and b) you modify the correct files to allow X connections. ... Unix Guy Consulting, LLC ...
    (comp.sys.hp.hpux)
  • Re: Design question
    ... a message is sent (via TCP connection) to every other hosts ... synchronization lag, ... For failover you can introduce 2 or more servers: ...
    (microsoft.public.win32.programmer.networks)
  • Problem with NPE-G1
    ... I've Cisco 7206VXR router connected to Catalyst switch ... over copper 1000BaseT connection. ... at Gi0/1 the whole Gi0/1 went, ... and the Catalyst is running 12.2SED1. ...
    (comp.dcom.sys.cisco)