LAN termination on 6500 Chassis

Answered Question
Oct 11th, 2008
User Badges:

Should there by any reason to ever connect two physical links from single firewall to dual 6500 chassis for redundancy. Or a single physical link is sufficient as the redundancy is attained via firewall failover i.e. connected to the second 6500 chassis.


Regards.

Correct Answer by Jon Marshall about 8 years 7 months ago

If you have the following assumption "that single chassis can take complete load of the network/application" then it really isn't going to make much difference to you.


With HSRP failover affects every client whereas GLBP failure of one router does not necessarily affect every client.


And if you want to use both 6500 switches as gateways for different vlans then it requires additional configuration for HSRP.


Having said that if you are more comfortable with HSRP and it is more straightforward i don't think any advantages of GLBP outweigh this - i would use HSRP. This in contrast for example between a choice of RSTP or STP where i would always go for RSTP provided it was supported.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
Loading.
royalblues Sat, 10/11/2008 - 02:56
User Badges:
  • Green, 3000 points or more

Do you mean to say 2 interfaces from the firewall are connected to one switch?


This type of connection will not provide any redundancy as each firewall interface would be required to be in a seperate subnet/network.


Normally, each firewall will have one connection each of the switches to maintain redundancy


HTH

Narayan

new_networker Sat, 10/11/2008 - 09:19
User Badges:

Quote

Normally, each firewall will have one connection each of the switches to maintain redundancy

Unquote


How would the redundancy be maintained. Please explain.


Regards.

Jon Marshall Tue, 10/14/2008 - 07:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

You have 2 6500 switches


6500_1 is active gateway for HSRP and STP root

6500_2 is standby.


They are connected via a L2 trunk.


You have a server vlan - vlan 10 that is routed off the 6500 switches and the servers are dual connected to each 6500.


You have 2 firewalls


FW1 inside interface is connected to 6500_1 and is the active firewall

FW2 inside interface is connected to 6500_2

and is the standby firewall.


The firewalls are connected to 6500 switches on the inside using vlan 20


So traffic path at moment is servers to HSRP default-gateway on 6500_1 to FW1.


Scenario 1

==========


The 6500_1 vlan 10 interface goes down - could be shut down accidentally etc.


HSRP moves the active gateway to 6500_2.

Server now sends traffic to active gateway on 6500_2.


The 6500_2 switch then routes the traffic onto vlan 30 and switches it across the trunk to 6500_1 then to FW1.


Scenario 2

==========


6500_1 switch fails completely.


HSRP again moves across to 6500_2.


Because the whole switch has died the active firewall has lost it's connection to 6500_1 so the standby firewall stops receiving failover info on inside interface and so becomes active.


Traffic path is now - server -> 6500_2 -> FW2


Scenario 3

==========


Inside interface of active FW or port on 6500_1 that this connects to goes down.


Same reasoning as before in terms of firewalls ie. standby becomes actives because it no longer receives failover info on inside interface.


But HSRP gateway stays on 6500_1. So traffic path is server -> 6500_1 -> 6500_2 -> FW2.


There are other failure scenarios but these should give you an idea of how this connectivity from the firewalls provides redundancy.


Jon

new_networker Tue, 10/14/2008 - 19:48
User Badges:

Great!


Could you please suggest whether GLBP would be better than HSRP on Cat6500. If so, how will the failover happen.


Thanks.

Scott Cannon Tue, 10/14/2008 - 21:25
User Badges:

The only advantage GBLP has over HSRP or VRRP is the ability to load balance. ie. active-active with GBLP vs active-standby with HSRP/VRRP.


I'm guessing you are not going to want to load balance so HSRP is your best bet.

Jon Marshall Tue, 10/14/2008 - 23:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Do you mean GLBP for the vlan that connects the ASA's to the 6500's. If so you get no benefit from GLBP on this vlan because GLBP load-balances different end devices to different gateways within the same vlan but you only have one end device ie. the active firewall so HSRP would be just as good.


If you mean GLBP vs HSRP in general really a matter of preference and traffic patterns.


Jon

new_networker Wed, 10/15/2008 - 04:28
User Badges:

I mean GLBP vs HSRP on Cat6500 . One of the + point I can think with HSRP is easy troubleshooting.


If the traffic is spilled all over, the resolution time increases.


Can you please shed some light on what can kind of traffic pattern may demand GLBP on Cat 6500 (with the assumption that single chassis can take complete load of the network/application).

Correct Answer
Jon Marshall Wed, 10/15/2008 - 04:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If you have the following assumption "that single chassis can take complete load of the network/application" then it really isn't going to make much difference to you.


With HSRP failover affects every client whereas GLBP failure of one router does not necessarily affect every client.


And if you want to use both 6500 switches as gateways for different vlans then it requires additional configuration for HSRP.


Having said that if you are more comfortable with HSRP and it is more straightforward i don't think any advantages of GLBP outweigh this - i would use HSRP. This in contrast for example between a choice of RSTP or STP where i would always go for RSTP provided it was supported.


Jon

sateeshk10 Fri, 10/17/2008 - 12:31
User Badges:

Hi,


Sorry to intreput you guys..


I am also planning to deisgn the same. But i have small query...


I am planning to create sigle vlansper access switch in core as mentioned above.


Create ettherchannel between access swtiches.


I will pass single vlan per access switch.


Is it ok or I need to go for VTP domain(plan for datacenter).


I am planning to create one VLAN per rack/access switch.


pls suggest/comments


Regards

sateesh

Actions

This Discussion