Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1298
Views
6
Helpful
12
Replies

Routing and Gateways

Go to solution
gcook0001
Level 1
Level 1

‎03-10-2023 06:52 AM

I am trying to determine how to do this. The diagram below works except if one of the firewalls/wan connections goes down. Then the systems using that default gateway don't use the othe gateway if available. For example if the firewall at location 2 goes down I would like the servers to start using the firewall in location 1. The switch at location 2 is Cat3850 and the switch at location 1 is C9407R. The firewalls are Firepower FTDs. What would the best way to accomplish this? I am limited in that I have to implement this in production as I don't have a test environmnet.

 

gcook0001_0-1678459491321.png

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to gcook0001

‎03-10-2023 08:13 AM

Yes sure, and it be better if the SW run ip routing and can config as HSRP.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
MHM Cisco World
VIP
VIP

‎03-10-2023 07:05 AM

FW not support HSRP so the only solution is using Active/Active HA.

Go to solution
gcook0001
Level 1
Level 1
In response to MHM Cisco World

‎03-10-2023 07:08 AM - edited ‎03-10-2023 07:09 AM

Thanks for the reply

These firewalls don't support active/active. 

0 Helpful

Go to solution
gcook0001
Level 1
Level 1
In response to MHM Cisco World

‎03-10-2023 07:14 AM

Yes. I think I may have found a solution but not sure it is the best. If I add two routes to the client 

0.0.0.0 to 192.168.1.1 and 0.0.0.0 192.168.1.3 it does use the second route if the first doesn't work

 

Go to solution
MHM Cisco World
VIP
VIP
In response to gcook0001

‎03-10-2023 08:13 AM

Yes sure, and it be better if the SW run ip routing and can config as HSRP.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to gcook0001

‎03-10-2023 08:21 AM

I think I found something help you in this case, I will share this info. late today.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to gcook0001

‎03-10-2023 09:33 AM

Yes, often many clients can do that.  The issue, can be, it can be a maintenance nightmare if you have many clients.  I.e. we normally hope to use solutions that don't entail "unusual", or even any manual, configurations on clients.  (However, if client configurations can be "unusual" via DHCP, that's often not too bad.)

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-10-2023 09:29 AM

Are switches L2 or L3?

Do your FWs support VRRP?

0 Helpful

Go to solution
gcook0001
Level 1
Level 1

‎03-10-2023 01:20 PM

So we don't have a huge number of clients. So the solution I came up with and was able to test is as follows.

In Server 2019 for the scope options for the scope you can add multiple routers and they process them in the order that they are listed. So for DHCP which will apply mostly to personal computers it will add the second route which will get used if there is an issue with the first one. This gets added automatically as part of the DHCP assignment. For the servers we assign static IPs and we can add second persistant route at that time. 

 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to gcook0001

‎03-10-2023 02:41 PM

Yup, as mentioned in my prior posting, if you can manage hosts via DHCP, likely a better approach.

However, even with DHCP management, if your FWs support VRRP, I would recommend that as even better still.  (Because, many are not familiar using advanced DHCP features, but a FHRP, whether HSRP, VRRP, GLBP, is a pretty common network configuration.)

Go to solution
gcook0001
Level 1
Level 1
In response to Joseph W. Doherty

‎03-13-2023 09:01 AM

Thanks for the reply. The issue with both VRRP and similar protocols is that you still have a single point as your gateway which handles all the traffic. Our firewalls are located in different offices across town from each other and connected via an VPLS. The goal is to reduce the amount of traffic using the VPLS. So we want the devices in the office to use the firewall located in the office and fall back to the data centre if that connection goes down and the opposite for the data center. 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to gcook0001

‎03-13-2023 09:28 AM

FYI:

Later HSRP implementations (V2?) have a feature to deal with the issue you describe.  Don't recall if it's also a standard VRRP feature (and/or if this was Cisco devices, whether Cisco provides that feature for its VRRP implementation).

Anyway, the feature I have in mind is where you can have each FHRP device have multiple gateway IPs on the same network.  Basically, you configure each device to be the "primary" for a unique FHRP IP, and "backstop" all the other gateways.

Host can use the virtual gateway IP local to them, but if that gateway fails, then that virtual IP moves to another gateway router.

The same issue though, i.e. you're still stuck with getting the "preferred" gateway to the correct hosts (much like what you're doing now - although doing it this way, possibly easier to understand - big issue, though, would FW VRRP support this?  - again, this just a FYI, not a suggestion to adopt this approach).

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card