cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
237
Views
0
Helpful
2
Replies

GNS3 | Student Question | How to configure my network with redundancy

Ckey
Level 1
Level 1

Hi Everyone,

I'm currently studying computer engineering and have a project in which I'm trying to create a model of a fully redundant and secure network topology within GNS3. The secure part can wait because right now I'm just trying to get everything to work, however I'm getting very confused when it comes to the configuration between my Firewalls (edge devices) and Core Switches. I've had experience with GNS3 and managing parts of a real network in the past, but unfortunately it was for a small company and as such they didn't use full redundancy.

My current network in GNS3 looks as follows:

topology.png

I have two PFSense firewalls connected to a cloud in GNS3 for outbound connections (ISP.) These firewalls utilise the CARP protocol, and I have a VIP created on both the WAN (em0), DMZ (em5) and LAN (e3 and e3) ports. My main question is regarding the two Core switches (swWarszawaCore1 & 2) and the firewalls (PFSense-1 & 2).

I want full redundancy between all 4 devices, and my initial thought is to have VRRP configured on the Core Switches and CARP on the Firewalls. I have ports e3 & e4 on both firewalls bundled into a LAGG port, called port 1. PFSense-1 lagg1 has 192.168.11.2/29  assigned to it and PFSense-2 lagg1 has 192.168.11.3/29  assigned to it. The VIP configured for these ports is 192.168.11.1. The etherchannel uses LACP.

On the core switches, connected to lagg1 on the firewalls, I have port-channel1 configured using LACP. I configured an SVI for VLAN 14 on each switch, and configured port-channel1 as an access port for VLAN 14. The VLAN 14 SVI on Core1 is configured with 192.168.11.4/29  and Core2 is configured with 192.168.11.5/29. The VIP configured (using VRRP) for the VLAN 14 SVI is 192.168.11.6.

Okay great, so from swCore1 I can ping 192.168.11.2  (the directly upstream firewall IP in the same subnet), but I cannot ping the VIP. I have a feeling it is because I haven't configured the "crossed" interfaces yet, eth1/3 on the core switches.

I don't really know how this should be configured, and I'm not even sure my current approach is correct; any recommendations or help that could be provided would be greatly appreciated, as I don't know how to proceed from here.

I'm happy to dump configs if requested.

1 Accepted Solution

Accepted Solutions

two solution here 

1- use standalone FW 

in this solution

A-A- FW use VIP of HSRP in static route toward Core SW
A-B-Core SW use defualt route toward both FW but one with high AD 

B-A- FW use IGP and inject default route into Core

2- FW run HA 

MHM

View solution in original post

2 Replies 2

two solution here 

1- use standalone FW 

in this solution

A-A- FW use VIP of HSRP in static route toward Core SW
A-B-Core SW use defualt route toward both FW but one with high AD 

B-A- FW use IGP and inject default route into Core

2- FW run HA 

MHM

Dear MHM,

Thank you very much for the prompt response; I have been reviewing the topology and settings today and I think that I have decided to give up on using the CARP (basically HSRP) protocol on the firewalls. The VIP of the firewalls on the LAN side is completely unreachable, even with allow any security rules and connectivity to the physical IP addresses 192.168.11.2 & 3. I'm not sure if this a GNS3 simulation issue, a Layer 8 issue (I wouldn't be surprised) or a PFSense issue, but regardless, I need to make more progress.

My plan is to configure option A - Configure a static route on the firewalls to use the VIP of the core switches when sending packets to clients and also configure 2 default routes on the core switches, one with a higher Administrative Distance.

I might configure something like OSPF In the future if I get the concept working with static routing.

I assume the connections between:
                                        1. CoreSwitch1 and Firewall2
                                        2. CoreSwitch 2 and Firewall1

Should be a L3 connection for the double default routes - if you think I've missunderstood anything then please pop a quick response over, otherwise this has been solved!

Thank you very much,
Callum

Review Cisco Networking for a $25 gift card