Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
1
Helpful
1
Replies

L3 Switches connecting to Firewalls

Ranjita
Level 1
Level 1

‎04-19-2024 02:04 AM

Hi All,

I have a topology as shown below:

Ranjita_0-1713517128281.png

The Firewalls A & B are running as active/standby. I have an etherchannel configured between L3 Switch A and Switch B. The switches also have HSRP running for various VLANs. 

The link between Switch and Firewalls are routed ports. I have the following issues:

1) The routed port of Sw A isnt pinging routed port of Sw B

2)The switches dont detect topology change (Active/Standby change) in the Firewall level. The switch connected to the active firewall alone works while the switch connected to standby firewall isnt able to reach the FW IP.

 

Ideally I should have had redundant links between the switches and firewalls,unfortunately this was overlooked.

Could someone please explain what is happening in both the cases mentioned above?

 

 

Thanks.

Labels:
1 Reply 1

Kumaresan Ravichandran
Level 1
Level 1

‎04-21-2024 12:18 PM

Hello @Ranjita 

When two Layer 3 switches with routed ports are not able to ping each other, this might be du.e to a few reasons:

Routed Ports Not Pinging Between Switch A and Switch B: 

May be Configuration Mismatch, EtherChannel Misconfiguration, Routing Table Issues, Physical Link Problems.

Switches Don't Detect Topology Changes in Firewalls:

Missing Redundancy, HSRP Failover Configuration, Firewall Failover Communication, Routing Issues.

To address these issues, consider the following recommendations:

  • Add Redundancy: Redundant links between switches and firewalls can ensure continuous connectivity when the active/standby status changes.

  • Reconfigure EtherChannel and HSRP: Double-check the configuration to ensure correct setup. Confirm there are no misconfigurations in the channel groups, protocols, HSRP group numbers, or priorities.

  • Monitor and Test: Implement monitoring to detect topology changes and test failover scenarios to ensure proper behavior. Use tools like SNMP and syslog to monitor for failures and alert when topology changes occur.

  • Consult Firewall Documentation: Check the firewall's documentation for specific details about the high-availability setup and ensure it is correctly configured.

Regards 

if you get idea then click the helpful for more support like this.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card