HA design

Unanswered Question
Aug 2nd, 2009

Hi Experts,


This is a design requirement. Please find the attached two network diagram, one is Logical Diagram (HA Design.pdf) and Other is the Physical wiring of this Logical Design Diagram (HA Design - Physical wiring.pdf)


As you can see all the devices are dual like I have 2 Cisco ASA FW, 2 Cisco 1841 Router, 2 Cisco 3560 L3 switch and 2 Cisco 2960 switch. This is to achieve High Availability in the devices and avoid single point of failures


As refered in Diagram (HA Design - Physical wiring.pdf) is this the way devices has to be connected. If yes, then again there is a single point of failures in the HUB-1 and HUB-2.


I am worried whether I am following the Industry standard for achieving HA Network.


I seek your valuable response and help me on this



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jon Marshall Sun, 08/02/2009 - 07:12

Sathya


Yes you are right in that the hubs are a single point of failure.


The hub between the inside interfaces of the ASA's and the 3560 switches - this isn't needed. Just connect your ASA's directly to the 3560 switches instead and you have removed one of the single points of failure.


As for the hub on the outside - ideally you will need to replace it with a pair of L2 switches if at possible.


Jon

snarayanaraju Sun, 08/02/2009 - 08:53

Hi Jon,


Thanks for your reply. After reading your suggestion, I understood the way. Yes, i can connect ASA directly to 3560 switch, like ASA-1 will be connected to 3560-1 and ASA-2 will be connected to 3560-2.


I need not connect ASA-1 to 3560-2 and ASA-2 to 3560-1, & still achieve the HA redundancy using health monitoring in ASA.. Is this correct?


But i donot understand how the single point of failure can be avoided in HUB between ROUTER & ASA. I think i can configure BVI interface in the Router (if it has 2 Fastethernet)and connect to cables in the two different HUBs.


Will it work out?


sairam


Jon Marshall Sun, 08/02/2009 - 09:46

Sairam


"I need not connect ASA-1 to 3560-2 and ASA-2 to 3560-1, & still achieve the HA redundancy using health monitoring in ASA.. Is this correct?"


Correct, you do not need to cross connect the ASA devices. So ASA1 -> 35601 and ASA2 -> 35602 will be fine.


As for the outside you have 2 internet connections - are they to different ISP's and are you dealing with 2 different public address ranges or do you have your own provider independant range ?


Jon

Actions

This Discussion