cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
814
Views
0
Helpful
6
Replies

Cisco Switch Stack

mark.stewart1
Level 1
Level 1

Hi,

We have an issue where we have two fpr2100's in HA mode connected to a stack of switches which are then on a fibre ring.

Currently the HA cables are connected to the primary switch in each of the stacks, which work until one of the primary switches fails.

in this situation the firewalls both become master and all hell breaks lose on the network.

what I am hoping for is that if a member of the switch stack dies, then the whole switch stack stop processing data. Now i understand the idea of the switch stack is to keep going, but does anybody know of a setting or something that can be done?

 

many thanks,

 

Mark.

1 Accepted Solution

Accepted Solutions

In order for the firewall clustering to work correctly, you need a direct link between the 2 firewalls. I also, think if you connect all the HA links to only one stack, it would be a simpler design, but that would mean you need fiber between the stacks.

HTH

View solution in original post

6 Replies 6

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Can you post a simple diagram showing how the stacks are connected to the FWs for both data traffic and HA?

Are the firewalls in active/passive mode?

HTH

mark.stewart1
Level 1
Level 1

here layout of network.

my other options are create a dedicated link between the firewalls, but they are not local to each other.

or remove second trunk link to secondary switch, so firewall can still go master master, but no comms to network.

In order for the firewall clustering to work correctly, you need a direct link between the 2 firewalls. I also, think if you connect all the HA links to only one stack, it would be a simpler design, but that would mean you need fiber between the stacks.

HTH

mark.stewart1
Level 1
Level 1

Thankyou for your reply, but we are  having to look at all failure modes, and if that fibre failed between the firewalls for the HA, we would be in the same situation so we are trying to work something out 'outside of the box' as they say.

As when the fault happens the whole network basically is knackered...

IP_Cartel
Level 1
Level 1

Go through this document.  It will help you get the two 2100s connected in HA.  You are missing some connection.  One is the heartbeat.  You can use a simple switch or cross the connection between the 2100s.

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/firepower_threat_defense_high_availability.html 

mark.stewart1
Level 1
Level 1

Thankyou for the replies everyone, still no further as this is just what is listed on Cisco site.

Review Cisco Networking for a $25 gift card