cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
577
Views
14
Helpful
10
Replies

LAN termination on 6500 Chassis

new_networker
Level 1
Level 1

Should there by any reason to ever connect two physical links from single firewall to dual 6500 chassis for redundancy. Or a single physical link is sufficient as the redundancy is attained via firewall failover i.e. connected to the second 6500 chassis.

Regards.

1 Accepted Solution

Accepted Solutions

If you have the following assumption "that single chassis can take complete load of the network/application" then it really isn't going to make much difference to you.

With HSRP failover affects every client whereas GLBP failure of one router does not necessarily affect every client.

And if you want to use both 6500 switches as gateways for different vlans then it requires additional configuration for HSRP.

Having said that if you are more comfortable with HSRP and it is more straightforward i don't think any advantages of GLBP outweigh this - i would use HSRP. This in contrast for example between a choice of RSTP or STP where i would always go for RSTP provided it was supported.

Jon

View solution in original post

10 Replies 10

royalblues
Level 10
Level 10

Do you mean to say 2 interfaces from the firewall are connected to one switch?

This type of connection will not provide any redundancy as each firewall interface would be required to be in a seperate subnet/network.

Normally, each firewall will have one connection each of the switches to maintain redundancy

HTH

Narayan

Quote

Normally, each firewall will have one connection each of the switches to maintain redundancy

Unquote

How would the redundancy be maintained. Please explain.

Regards.

Please assist.

You have 2 6500 switches

6500_1 is active gateway for HSRP and STP root

6500_2 is standby.

They are connected via a L2 trunk.

You have a server vlan - vlan 10 that is routed off the 6500 switches and the servers are dual connected to each 6500.

You have 2 firewalls

FW1 inside interface is connected to 6500_1 and is the active firewall

FW2 inside interface is connected to 6500_2

and is the standby firewall.

The firewalls are connected to 6500 switches on the inside using vlan 20

So traffic path at moment is servers to HSRP default-gateway on 6500_1 to FW1.

Scenario 1

==========

The 6500_1 vlan 10 interface goes down - could be shut down accidentally etc.

HSRP moves the active gateway to 6500_2.

Server now sends traffic to active gateway on 6500_2.

The 6500_2 switch then routes the traffic onto vlan 30 and switches it across the trunk to 6500_1 then to FW1.

Scenario 2

==========

6500_1 switch fails completely.

HSRP again moves across to 6500_2.

Because the whole switch has died the active firewall has lost it's connection to 6500_1 so the standby firewall stops receiving failover info on inside interface and so becomes active.

Traffic path is now - server -> 6500_2 -> FW2

Scenario 3

==========

Inside interface of active FW or port on 6500_1 that this connects to goes down.

Same reasoning as before in terms of firewalls ie. standby becomes actives because it no longer receives failover info on inside interface.

But HSRP gateway stays on 6500_1. So traffic path is server -> 6500_1 -> 6500_2 -> FW2.

There are other failure scenarios but these should give you an idea of how this connectivity from the firewalls provides redundancy.

Jon

Great!

Could you please suggest whether GLBP would be better than HSRP on Cat6500. If so, how will the failover happen.

Thanks.

The only advantage GBLP has over HSRP or VRRP is the ability to load balance. ie. active-active with GBLP vs active-standby with HSRP/VRRP.

I'm guessing you are not going to want to load balance so HSRP is your best bet.

Do you mean GLBP for the vlan that connects the ASA's to the 6500's. If so you get no benefit from GLBP on this vlan because GLBP load-balances different end devices to different gateways within the same vlan but you only have one end device ie. the active firewall so HSRP would be just as good.

If you mean GLBP vs HSRP in general really a matter of preference and traffic patterns.

Jon

I mean GLBP vs HSRP on Cat6500 . One of the + point I can think with HSRP is easy troubleshooting.

If the traffic is spilled all over, the resolution time increases.

Can you please shed some light on what can kind of traffic pattern may demand GLBP on Cat 6500 (with the assumption that single chassis can take complete load of the network/application).

If you have the following assumption "that single chassis can take complete load of the network/application" then it really isn't going to make much difference to you.

With HSRP failover affects every client whereas GLBP failure of one router does not necessarily affect every client.

And if you want to use both 6500 switches as gateways for different vlans then it requires additional configuration for HSRP.

Having said that if you are more comfortable with HSRP and it is more straightforward i don't think any advantages of GLBP outweigh this - i would use HSRP. This in contrast for example between a choice of RSTP or STP where i would always go for RSTP provided it was supported.

Jon

Hi,

Sorry to intreput you guys..

I am also planning to deisgn the same. But i have small query...

I am planning to create sigle vlansper access switch in core as mentioned above.

Create ettherchannel between access swtiches.

I will pass single vlan per access switch.

Is it ok or I need to go for VTP domain(plan for datacenter).

I am planning to create one VLAN per rack/access switch.

pls suggest/comments

Regards

sateesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: