Re: handling hsrp connections from isp
- From: Trendkill <jpmason@xxxxxxxxx>
- Date: Tue, 19 Jun 2007 11:19:28 -0000
On Jun 18, 9:45 pm, molson8472 <mo8...@xxxxxxxxx> wrote:
Hi,
I'm setting up a new colocation cabinet, and am trying to implement a
redundant network architecture. If you wouldn't mind taking a look to
see if I'm on the right track:
(1) 2 fast ethernet connections from ISP, each connected to a separate
router, with HSRP failover configured between them. (This is a
multihomed mix of several upstream providers.)
(2) An unmanaged fast ethernet switch for the two ISP connections, and
one connection to each of the firewalls.
(3) Two Cisco ASA 5510 firewalls, with a direct failover link
(crossover cable) between them, connected to the front-end switch on
the outside interfaces, and to internal switches on the internal
interfaces. Each inside interface is connected to one of the internal
switches.
(4) Two HP Procurve 2824 switches. Each one is connected to exactly
one of the firewalls. They also have an 802.1Q trunk connection
between them. I'll configure several VLANs to connect to these
switches. The switches run STP to eliminate loops.
(5) About 12 servers, each with redundant NICs. Each NIC is connected
to one of the Procurve switches.
Failure modes:
-- Server NIC or single port on the Procurve fails: STP on the
Procurves recalculates the tree and the other connection takes over.
-- One of the Procurves fails: The connected firewall will detect a
failure and failover to the backup unit. The other Procurve will use
STP to recalculate the tree and the servers will remain connected via
their secondary NICs.
-- One of the firewalls fails: Failover will be initiated and the
backup firewall will take over. STP will recalculate the tree and
traffic can still flow through the backup firewall.
-- The front-end switch fails: I'm hosed. This is the piece I need
help with. Is it possible to introduce redundancy here? What is the
proper way to aggregate these two connections given that only one of
them is active at any given time?
-- One of the ISPs routers fails: HSRP will kick in and I'll retain
connectivity through the second drop.
Networking is not my specialty, so I'd appreciate your guidance /
feedback.
Thanks,
Matt
Because you only have unmanaged switches for your ISP and Firewall
connections, that is definitely a single point of failure. For true
redundancy here, you need each router (to your ISP) dual homed to a
pair of switches, which then go to the firewalls, which then go back
to your internal core of your network (again at least a pair, and
servers will be dual homed to both). Also, are you seeking load
balancing when everything is working, or this does not matter at this
time? If that is the case, you'll need to think through load
balancing options (at least for traffic going external). Load
Balancing traffic back in is a whole different game as it requires
working closely with both providers, but for external, you can run
dynamic routing protocols, have matching static routes, but your
firewalls may introduce additional complexity depending on how they
are being used.
Also, yes HSRP will work for outgoing traffic, but you want to make
sure that both providers or connections are both advertising your
external IP ranges into BGP, or a downed internet router may still
result in an outage (traffic can get out, but not back in).
.
- Follow-Ups:
- Re: handling hsrp connections from isp
- From: molson8472
- Re: handling hsrp connections from isp
- References:
- handling hsrp connections from isp
- From: molson8472
- handling hsrp connections from isp
- Prev by Date: Re: Switch command
- Next by Date: Re: DSL config with external modem
- Previous by thread: handling hsrp connections from isp
- Next by thread: Re: handling hsrp connections from isp
- Index(es):
Relevant Pages
|
