High Availability for Firewalls, DMZ and edge routers

Unanswered Question
Apr 25th, 2008
User Badges:

We have two core 6509 switchs running HSRP.

We have two firewalls in active/standby roles and want to implement a high availablility structure with the core switches, firewalls and edge router.

In order to do this, I believe the inside interface of each firewall should go to each core switch, then have a seperate DMZ switch for each firewall, with redundant connections from the servers to each DMZ.

My question involves the Internet edge router and MPLS router.

Is there any way to have the Internet edge router have dual connection to the firewalls, and MPLS router?

How is this normally done?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Michael Odom Fri, 04/25/2008 - 18:36
User Badges:

Attach your MPLS router with one ethernet interface to each of your cores in a point-to-point manner, and run a routing protocol like eigrp or ospf. The routing protocol will determine if there is a failure and route around the failed link.

You can do something similar on your Internet edge if your PIX's have the memory to run 7.0 (I think the 515E's can). 7.0 introduces ospf, and you could run that to create a similar configuration on your external network.

You could use also use a switch module in your 2800. I believe the part number is HWIC-4ESW for a 4-port module that will sit in an HWIC slot. However, I think you'll find that using the routing protocols will scale better.

wilson_1234_2 Fri, 04/25/2008 - 20:33
User Badges:

Thanks for the reply.

We have OSPF on the firewalls (soon to be ASAs), but not sure what you mean about attaching in point-to-point manner.

Each interface will have to be in a different subnet correct?

Can you give an example of what you are talking about?


This Discussion