Showing results for 
Search instead for 
Did you mean: 

Switch High Availability Design

Level 1
Level 1

Hello Cisco Community,

I am trying to design a network, so I would like to check few thing with you.

First of all, is the attached design legitimate? Would this work?
Are those port-channels correct? Should I create a port-channel for downstream device and upstream device when using stacking?


There are going to be more access switches, not just for servers.
There are going to be switches for users and storage.

Where do I put the default gateway? Is it better to create SVIs for VLANs on the core switches, or is it better to create SVIs on firewall? I understand that I can filter the traffic passing between VLANs with regular access-lists on the core switch.
But for better traffic inspection, I think it would make more sense to filter the traffic on the firewall level.


The goal is to make the network as resilient and secure as possible.


1 Reply 1

Level 1
Level 1


A little late but the following is my review:

  1. As both the access and core switches are stacked (I am assuming based on your usage of stackwise that this is not Nexus devices), I would keep the port-channel #'s the same for ease of management. Also, since they are both "logically" 1 device to 1 device, you can merge Po3 and Po4 into 1 port-channel and Po5 and Po6 into 1 port-channel. Physically, the cabling should remain as is drawn. E.g. Access to Core can be Po3 to Po3.
  2. From Core to Firewall, we need to know how your Firewalls are set. Are they active/active or active/standby? Active/standby would be simplest and is similar to the access to core as logically it'll be like 1 Firewall to 1 Core switch. There would be no Po10 in Active/Standby. There may also be slight configuration considerations if you plan on going Transparent or Routed mode as well.
  3. I would do routing and default gateways/SVIs for the Internal LAN at the Core. This is essentially a collapsed-core design. There really shouldn't any real big security concern to this as you should expect traffic inside the firewall to be trusted. ACLs and/or VACLs should suffice.
  4. The outside seems fine for now and based on the limited info provided.
  5. I recommend drawing both a physical and logical diagram. That may help in piecing some of the configurations together.

Hope this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card