Solved: Switch Redundancy

CCDECCDE9 · ‎12-01-2009

Hi

I have ASA with subinterfaces/vlans for DMZ.The DMZ network has a single switch with no layer-3 vlans in it .The devices that were connected to this switch were down other day due to switch hardware failure.Is there a way I can make sure that these devices plugged into the switch(es) can stay up even if one switch dies..

Thanks

Jon Marshall · ‎12-01-2009

CCDECCDE9 wrote:

say I have two ASAs...When switch of Primary ASA goes down..does primary fails over to secondary and all those devices through secondary now ?

Also Daul honed means Network card Teaming you are refering to ?

If you have 2 ASAs you would set it up -

connect ASA1 to switch1 (SW1)

connect ASA2 to switch2 (SW2)

connect SW1 to SW2 with either a L2 trunk or a L2 access port, depending on whether you are running multiple vlans on your DMZ switches.

Lets assume it is connected as above and ASA1 is the active firewall. SW1 is the switch that has the active NICs connected to it. Dual honed simply means each server has 2 NICs, one is active and the other is in standby mode.

1) Failure of active server NIC - server makes it's other NIC active. This is connected to SW2 . traffic flows to SW2, across the link to SW1 and then to ASA1 which is the active firewall

2) Failure of SW1 - the firewall fails over and ASA2 becomes active. The server NICs to SW2 also become active as SW1 has failed.

3) Failure of ASA1 - ASA2 takes over. The active NICs are still connected to SW1 so traffic goes from servers to SW1 across to SW2 and to ASA2

Jon

View solution in original post

Jon Marshall · ‎12-01-2009

CCDECCDE9 wrote:

Hi

I have ASA with subinterfaces/vlans for DMZ.The DMZ network has a single switch with no layer-3 vlans in it .The devices that were connected to this switch were down other day due to switch hardware failure.Is there a way I can make sure that these devices plugged into the switch(es) can stay up even if one switch dies..

Thanks

You can add a second switch but the problem is you only have one ASA to connect it to. And an ASA cannot have 2 interfaces with the same IP address or an IP address out of the same subnet ie. you can't create the same DMZ on two separate interface on the ASA.

So for redundancy you would need -

1) 2 switches

2) 2 ASA firewalls running in active/standby or active/active

3) each device in the DMZ would need to be dual honed to each switch otherwise there is no point in 1) & 2)

Alternatively you could just have a spare switch with the correct config on it and ready to go.

It really depends on how much downtime costs the company and does this justify making a fully redundant setup.

Jon

CCDECCDE9 · ‎12-01-2009

say I have two ASAs...When switch of Primary ASA goes down..does primary fails over to secondary and all those devices through secondary now ?

Also Daul honed means Network card Teaming you are refering to ?

Jon Marshall · ‎12-01-2009

CCDECCDE9 wrote:

say I have two ASAs...When switch of Primary ASA goes down..does primary fails over to secondary and all those devices through secondary now ?

Also Daul honed means Network card Teaming you are refering to ?

If you have 2 ASAs you would set it up -

connect ASA1 to switch1 (SW1)

connect ASA2 to switch2 (SW2)

connect SW1 to SW2 with either a L2 trunk or a L2 access port, depending on whether you are running multiple vlans on your DMZ switches.

Lets assume it is connected as above and ASA1 is the active firewall. SW1 is the switch that has the active NICs connected to it. Dual honed simply means each server has 2 NICs, one is active and the other is in standby mode.

1) Failure of active server NIC - server makes it's other NIC active. This is connected to SW2 . traffic flows to SW2, across the link to SW1 and then to ASA1 which is the active firewall

2) Failure of SW1 - the firewall fails over and ASA2 becomes active. The server NICs to SW2 also become active as SW1 has failed.

3) Failure of ASA1 - ASA2 takes over. The active NICs are still connected to SW1 so traffic goes from servers to SW1 across to SW2 and to ASA2

Jon

Reza Sharifi · ‎12-01-2009

If you really want redundancy, then you can take a pair of 6500E switches (with the right Sup) and convert them to a VSS set. This way you can connect each of your servers to 2 different switches that act logically like one, so when one switch is down, your servers are still forwarding traffic using the second switch. But you servers have to have 2 NICs and on the server side you have to team your NICs together and run LACP to the switches. Then you connect your switches to a set of ASA in active-active or active-passive.

HTH

Reza

Jon Marshall · ‎12-01-2009

sharifimr wrote:

If you really want redundancy, then you can take a pair of 6500E switches (with the right Sup) and convert them to a VSS set. This way you can connect each of your servers to 2 different switches that act logically like one, so when one switch is down, your servers are still forwarding traffic using the second switch. But you servers have to have 2 NICs and on the server side you have to team your NICs together and run LACP to the switches. Then you connect your switches to a set of ASA in active-active or active-passive.

HTH

Reza

Expensive DMZ though

Just to add you could also do the same with 2 stacked 3750 switches which support cross stack etherchannel.

Jon

Reza Sharifi · ‎12-01-2009

Jon,

I think, I am subconsciously helping Cisco's earnings

Reza