High availability design

dom.a · ‎09-12-2012

Hi experts,

i have designed high availability architecture (see attached file). Normally, the final implementation woulh let people int the remote network to access serveur in the access layer and access layer servers should be able to send packets to devices connected to the remote network.

my problem is at the Core side, particularly betwenn core and the two distribution switches. I want to know wich kind of configuration (layer 2 or Layer 3) it more suitable in this case and what is the implication ?

Regards

Jon Marshall · ‎09-12-2012

It's not entirely clear how it all fits together as there is no IP addressing. Also it's not clear what function the core supplies because it seems as though you could simply connect the firewall to the distribution switches directly.

Is there anything else connected to the core that is not shown in your diagram ?

In addition it is not always a good idea to connect the firewall directly to the core.

All that being said as a general rule it is better to use L3 links as this limits STP to the distribution and access switches rather than extending it all the way to the core. This is particularly important if you have other connections into the core.

But that is only a general answer and without the addressing and the full network layout ie. other core connections it's difficult to say.

Jon

dom.a · ‎09-13-2012

Hi Jon,

the cat3560 is not really a core switch...

i have configured L3 (routed port) between the cat 3560 and the distribution switches and setup hsrp to have unique gateway for my firewall.

dist 1

----------

int gi1/1

ip add 10.10.10.1 255.255.255.0

standby 1 ip 10.10.10.254

!

int vlan 300

ip 10.10.3.1 255.255.255.0

standby 1 ip 10.10.3.254

!

ip route 0.0.0.0 0.0.0.0 10.10.10.3

dist 2

--------

int gi1/1

ip add 10.10.10.2 255.255.255.0

standby 1 ip 10.10.10.254

!

int vlan 300

ip 10.10.3.1 255.255.255.0

standby 1 ip 10.10.3.254

!

ip route 0.0.0.0 0.0.0.0 10.10.10.3

firewall

---------

internal IP : 10.10.10.3 255.255.255.0

default route : 10.10.10.254

PC in vlan 300

---------

IP : 10.10.3.100 gateway : 10.10.3.254

The results of the tests are :

- PC can ping firewall (10.10.10.3)

- From firewall i cannot ping PC, but can ping PC's gateway (10.10.3.254) // it's not a matter of security, i have check and ping is allow

- from firewall, the result of tracert :

traceroute to 10.10.3.100

1 1ms 1ms 1ms 10.10.10.254

2 * * *

let me know if it's more clear, as i don't really catch what is the problem.

regards

Jon Marshall · ‎09-14-2012

see below

Jon

Jon Marshall · ‎09-14-2012

As a follow up to this. If the 3560 is not really a core switch and only the dist switches and firewall connect to it then you may be better of using L2 and not L3 config. I assumed it was a proper core switch.

Is there anything else connected to the core switch ?

One other consideration - if you plan to have a redundant firewall in future you would be better to use L2 as you will need a common vlan for failover.

Jon

dom.a · ‎09-14-2012

Jon,

Thanks for your reply. As per your first request, please find attached the detailed diagram layout with ip and the configuration file for each device. the config file also include tests results from firewall and from PC test.

iam sure, you will find it pretty much clear.

thanks for your help.

regards

dom

Marwan ALshawi · ‎11-19-2012

not sure if you came up with a solution for this yet !

but to sum up

the Dist switch has to be L2/L3 ( the demarcation point between L2 and L3 ) you may use HSPR with STP or VSS depends on the HW

while the switch between the the Dist and FW 3560 you need to use it as a L2 at least for the the FWs using a shared VLAN as Jon stated above the can be helpful when you add a second FW for HA

hope this help

fb_webuser · ‎09-18-2012

Layer 3 with port aggregation

---

Posted by WebUser Milo Elchingon Dechingones from Cisco Support Community App

fb_webuser · ‎09-18-2012

It should be L3

---

Posted by WebUser Chie Tamayo from Cisco Support Community App