Re: handling hsrp connections from isp
- From: Vincent C Jones <v.jones@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 20 Jun 2007 20:18:10 -0400
molson8472 wrote:
I've got two connections to the same ISP (connected to two of their
routers), with HSRP running on their routers. And yes, they are
advertising my IPs with BGP further out into the core.
Load balancing across connections is not a concern here -- I am just
looking for redundancy and no single points of failure.
I think that with the combination of the ASA failover mechanism, STP
on the interior switches, and dual homing of the servers to separate
switches, I have full redundancy and automatic failover for the
firewalls and everything inside the firewalls.
But the question is dealing with the two HSRP connections from the
ISP. If I put two switches outside the firewalls, and connect each of
the ISP connections to one, and connect them to each other, I think
I'd be OK. In the case of one of the outside switches failing, the ISP
routers should detect the failure because they will no longer be able
to send HSRP messages on the local segment, triggering an HSRP
failover. At the same time, my primary firewall should detect a
failure and failover to the secondary firewall since it will be
connected to the second ISP connection. Does that sound right?
I've posted a diagram just to be as clear as possible. Please poke as
many holes as you can in this setup and let me know if I'm on the
right track for full redundancy and no single points of failure (aside
from my upstream ISP). I'd like to find out now before buying a bunch
of equipment. :)
http://rubycloud.com/images/network.jpg
Thanks,
Matt
Your explanation is good... as far as it goes. Here are some general holes
you have not covered:
Effective redundancy requires three things: the ability to detect failure,
the ability to do something to get around detected failures, and enough
diversity so that whatever causes the first failure does not also cause the
alternate mode to fail (think cables in a bundle or common power source).
IP communications requires the redundancy to work bidirectionally. That is,
not only do you need to properly reroute outbound packets, but also the
responses to those packets. HSRP only handles getting packets from your
firewall to your ISP, and not necessarily even that much. Are there any
switches between your switches and the ISP's routers? How does the ISP
detect failure of a link between one of its routers and your switch (not
just for HSRP but also for sending traffic to you). Hint--do not assume
that link problems with cause the Ethernet interface to go down...that only
happens most of the time.
Maintaining high availability also requires continuous vigilance (network
monitoring and management). It does not help you long term if you have no
mechanism to detect that you have failed over and are running on backup.
You will need to determine just how much availability you really need and
how much you are willing to pay for if you can get it. If all you want is a
pretty picture to impress clients, you're done. If you really care about
high availability, you've only just begun to scratch the surface.
Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
.
- References:
- handling hsrp connections from isp
- From: molson8472
- Re: handling hsrp connections from isp
- From: Trendkill
- Re: handling hsrp connections from isp
- From: molson8472
- handling hsrp connections from isp
- Prev by Date: Show commands
- Next by Date: Re: QoS on Cisco WS-C2950-12 IOS 12.1(22)EA9
- Previous by thread: Re: handling hsrp connections from isp
- Next by thread: Re: netflow config on a 7206
- Index(es):
Relevant Pages
|
