cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
860
Views
6
Helpful
12
Replies

Routing and Gateways

gcook0001
Level 1
Level 1

I am trying to determine how to do this. The diagram below works except if one of the firewalls/wan connections goes down. Then the systems using that default gateway don't use the othe gateway if available. For example if the firewall at location 2 goes down I would like the servers to start using the firewall in location 1. The switch at location 2 is Cat3850 and the switch at location 1 is C9407R. The firewalls are Firepower FTDs. What would the best way to accomplish this? I am limited in that I have to implement this in production as I don't have a test environmnet.

 

gcook0001_0-1678459491321.png

 

1 Accepted Solution

Accepted Solutions

Yes sure, and it be better if the SW run ip routing and can config as HSRP.

View solution in original post

12 Replies 12

FW not support HSRP so the only solution is using Active/Active HA.

Thanks for the reply

These firewalls don't support active/active. 

Yes. I think I may have found a solution but not sure it is the best. If I add two routes to the client 

0.0.0.0 to 192.168.1.1 and 0.0.0.0 192.168.1.3 it does use the second route if the first doesn't work

 

Yes sure, and it be better if the SW run ip routing and can config as HSRP.

I think I found something help you in this case, I will share this info. late today.

Yes, often many clients can do that.  The issue, can be, it can be a maintenance nightmare if you have many clients.  I.e. we normally hope to use solutions that don't entail "unusual", or even any manual, configurations on clients.  (However, if client configurations can be "unusual" via DHCP, that's often not too bad.)

Joseph W. Doherty
Hall of Fame
Hall of Fame

Are switches L2 or L3?

Do your FWs support VRRP?

gcook0001
Level 1
Level 1

So we don't have a huge number of clients. So the solution I came up with and was able to test is as follows.

In Server 2019 for the scope options for the scope you can add multiple routers and they process them in the order that they are listed. So for DHCP which will apply mostly to personal computers it will add the second route which will get used if there is an issue with the first one. This gets added automatically as part of the DHCP assignment. For the servers we assign static IPs and we can add second persistant route at that time. 

 

Yup, as mentioned in my prior posting, if you can manage hosts via DHCP, likely a better approach.

However, even with DHCP management, if your FWs support VRRP, I would recommend that as even better still.  (Because, many are not familiar using advanced DHCP features, but a FHRP, whether HSRP, VRRP, GLBP, is a pretty common network configuration.)

Thanks for the reply. The issue with both VRRP and similar protocols is that you still have a single point as your gateway which handles all the traffic. Our firewalls are located in different offices across town from each other and connected via an VPLS. The goal is to reduce the amount of traffic using the VPLS. So we want the devices in the office to use the firewall located in the office and fall back to the data centre if that connection goes down and the opposite for the data center. 

FYI:

Later HSRP implementations (V2?) have a feature to deal with the issue you describe.  Don't recall if it's also a standard VRRP feature (and/or if this was Cisco devices, whether Cisco provides that feature for its VRRP implementation).

Anyway, the feature I have in mind is where you can have each FHRP device have multiple gateway IPs on the same network.  Basically, you configure each device to be the "primary" for a unique FHRP IP, and "backstop" all the other gateways.

Host can use the virtual gateway IP local to them, but if that gateway fails, then that virtual IP moves to another gateway router.

The same issue though, i.e. you're still stuck with getting the "preferred" gateway to the correct hosts (much like what you're doing now - although doing it this way, possibly easier to understand - big issue, though, would FW VRRP support this?  - again, this just a FYI, not a suggestion to adopt this approach).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco