cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
424
Views
0
Helpful
4
Replies

Redundant Connectivity Design

brisen
Level 1
Level 1

I am looking to increase redundancy at a site by implementing HA with firewall.  Currently only have single deployed but have purchased a second & starting to work on the connectivity.  The firewalls are FPR1140's, while the switches are CBS350-24XT's

We currently use MS Hyper-V SET (Switch Embedded Team) to connect two server interfaces to our switches.  In my testing I have found that if a server connection is lost, generally within 2-3 pings, everything is updated between the switch & server & connectivity is re-established with on the other interface.  

Since the firewalls run in an active/standby arrangement, my thought was I could create a port channel on the firewall.  Two interfaces going to the "primary path" switch, with a third interface in the channel going to the "secondary path" switch.  On each switch, I then have a corresponding LAG member config.  The two switches have their own LAG between them to allow traffic to transit.  

Switch 1 will be the STP root bridge & Fast Link set to auto.  This seems like would give us good resiliency if losing an interface, or entire network element.  There looks to be a backup path that can be utilized once the LACP & STP protocols reconverge.

If FW1 fails, path should be SW1 > FW2

If SW1 fails, path should be SW2 > FW1

If SW1 & FW1 are both down, path should be SW2 > FW2

And vice versa.  

Anyone have thoughts on this approach?  I am trying to design around a network element SPOF. 

1 Accepted Solution

Accepted Solutions