Re: handling hsrp connections from isp

On Jun 19, 2:54 pm, molson8472 <mo8...@xxxxxxxxx> wrote:
On Jun 19, 4:19 am, Trendkill <jpma...@xxxxxxxxx> wrote:





Because you only have unmanaged switches for your ISP and Firewall
connections, that is definitely a single point of failure. For true
redundancy here, you need each router (to your ISP) dual homed to a
pair of switches, which then go to the firewalls, which then go back
to your internal core of your network (again at least a pair, and
servers will be dual homed to both). Also, are you seeking load
balancing when everything is working, or this does not matter at this
time? If that is the case, you'll need to think through load
balancing options (at least for traffic going external). Load
Balancing traffic back in is a whole different game as it requires
working closely with both providers, but for external, you can run
dynamic routing protocols, have matching static routes, but your
firewalls may introduce additional complexity depending on how they
are being used.

Also, yes HSRP will work for outgoing traffic, but you want to make
sure that both providers or connections are both advertising your
external IP ranges into BGP, or a downed internet router may still
result in an outage (traffic can get out, but not back in).

I've got two connections to the same ISP (connected to two of their
routers), with HSRP running on their routers. And yes, they are
advertising my IPs with BGP further out into the core.

Load balancing across connections is not a concern here -- I am just
looking for redundancy and no single points of failure.

I think that with the combination of the ASA failover mechanism, STP
on the interior switches, and dual homing of the servers to separate
switches, I have full redundancy and automatic failover for the
firewalls and everything inside the firewalls.

But the question is dealing with the two HSRP connections from the
ISP. If I put two switches outside the firewalls, and connect each of
the ISP connections to one, and connect them to each other, I think
I'd be OK. In the case of one of the outside switches failing, the ISP
routers should detect the failure because they will no longer be able
to send HSRP messages on the local segment, triggering an HSRP
failover. At the same time, my primary firewall should detect a
failure and failover to the secondary firewall since it will be
connected to the second ISP connection. Does that sound right?

I've posted a diagram just to be as clear as possible. Please poke as
many holes as you can in this setup and let me know if I'm on the
right track for full redundancy and no single points of failure (aside
from my upstream ISP). I'd like to find out now before buying a bunch
of equipment. :)http://rubycloud.com/images/network.jpg

Thanks,
Matt

You mentioned:

In the case of one of the outside switches failing, the ISP
routers should detect the failure because they will no longer be able
to send HSRP messages on the local segment, triggering an HSRP
failover. At the same time, my primary firewall should detect a
failure and failover to the secondary firewall since it will be
connected to the second ISP connection. Does that sound right?

So if the ISP has 2 routers, and they simply plug into your switches,
then I don't see a technical reason that you need to run STP. I don't
see a loop formed in any case. So, unmanaged switches should work.
On the other hand, managed switches are probably important to you, if
you want to poll these switches via an NMS system to detect failures,
etc. So if 1 switch dies, and you don't know about it, you now have a
single point of failure!

STP is required for each VLAN on your internal switches. I'd set the
stp root to be the left hand switches (as well as HSRP active).

-Dan
http://ccie-lounge.blogspot.com

.

Relevant Pages

  • Re: handling hsrp connections from isp
    ... Because you only have unmanaged switches for your ISP and Firewall ... connections, that is definitely a single point of failure. ... pair of switches, which then go to the firewalls, which then go back ...
    (comp.dcom.sys.cisco)
  • Re: multiple uplinks from ISP
    ... Subject: multiple uplinks from ISP ... I am using cisco 29xx and 3xxx switches. ...
    (freebsd-net)
  • Re: Best HA switch setup?
    ... Approximate time to repair when a failure happens; ... This may require you to tweak protocol parameters ... Switches with multiple CPU ... Is it hot standby or warm standby? ...
    (comp.dcom.lans.ethernet)
  • Re: handling hsrp connections from isp
    ... fast ethernet connections from ISP, ... Two Cisco ASA 5510 firewalls, ... and to internal switches on the internal ... About 12 servers, each with redundant NICs. ...
    (comp.dcom.sys.cisco)
  • Re: OK to Hot-Swap Monitor Cable?
    ... >>> Please answer my question abouts mechanical KVM switches and the complete ... > our first practical failure rather than a theoretically possible one. ... Do you install memory without following grounding directions, ...
    (comp.sys.mac.system)