Redundancy of Catalyst 6500 with FWSM and EIGRP

Muhammad Zubair · ‎12-08-2010

Hello everyone,

We are planning to configure redundancy between two 6500 with FWSM and 3560.

Currently one 6500 and 3560 is connected through layer 3 interface and routing by EIGRP. We are willing to add second 6500 for redundancy.

For that we have to configure HSRP on both Core Switches and add trunk between them. Configure VLAN on 3560 and add interfaces connect to both core switches.

Please advise the recommended configuration according to our scenario. We have configured the some configuration but need some authenticity.

Jon Marshall · ‎12-09-2010

Muhammad

There may be a lot more to your network topology than the diagram you provided but from the diagram i would connect the access switch to both 6500 switches and remove the 3560. I can't see what the 3560 is doing for you in this scenario and worse still it is a single point of failure. FWSM modules are typically deployed at the aggregation/distribution layer so it would make sense to have your access switches connected directly to the 6500 switches.

The configuration would then simply be to allocate the access layer vlans that you wanted to firewall to the FWSM and have L3 interfaces for those vlans on the FWSM (note not the MSFC). Any vlans you didn't want to firewall you would simply create SVIs for those vlans on the MSFC.

I just can't understand what purpose the 3560 is serving in your setup ?

Jon

Muhammad Zubair · ‎12-09-2010

In our environment 3560 is a distribution switch and have VLANs and routing. Many access switches are connected to distribution via trunk. We want to attach distribution to both cores. All distribution traffic should passing through FWSM.

We are running EIGRP on distribution switch (3560) and core 6500.

We also want to configure FWSM redundancy too; we are planning to configure failover firewall.

I have added some description in configuration too; hopefully it will help you to understand our scenario.

Jon Marshall · ‎12-09-2010

But you don't spend a fortune on 6500 switches with FWSM for redundancy and then have a single 3560 switch as a single point of failure. If that 3560 switch dies then all your access switches can no longer get to the 6500 switches. So the fact that you have 2 6500s for redundancy is irrelevant, and very expensive. Imagine justifying to your management why you purchased a 2nd 6500 with FWSM specifically for redundancy and the network is still down because the 3560 switch crashed.

If you do the inter-vlan routing off the 6500 switches then a single 6500 failing does not take down your network. If a single access switch fails then all the other access switches are unaffected.

But you have used a single 3560 switch. Not only does the whole network rely on this switch to stay up, if you are aggregating all your access switches into it then you are very probably creating a bottleneck on the uplink between the 3560 and the 6500 switches.

FWSM provide services for the distribution layer not the core layer so it makes even more sense to use your 6500 switches as distribution switches (they can also be core switches ie. a collapsed distribution core).

You also get more flexibility with this design. If you need to firewall between vlans on the access layer switches at the moment you can't because they are all routed off the 3560. If you routed them off the 6500 switches then it would be easy to migrate their SVI off the MSFC and onto the FWSM if you decided you wanted to firewall between vlans.

Jon

Muhammad Zubair · ‎12-09-2010

Thanks Jon for your precious time.

Sorry, I am forwarding your complete diagram as we have multiple 3560 in our scenario those are serving different department. All distributions are residing in the relevant department. And both 6500 are residing in different locality. Below the distribution we have access switches of relevant department.