Redundancy on corporate LAN

Unanswered Question
Nov 3rd, 2009


In a corporate LAN, where office employees are connected to the inside network; how is the redundancy maintained.

For e.g. if the overall network setup is Active/Passive such as

1. FrontEnd Firewalls (Active/Passive)

2. Firewall DMZ Server farm - Mail/Web Servers

3. Backend Firewalls (Active/Passive)

4. Redundant switches connected on the inside of Backend Firewalls

5. Client PCs connected to the inside switches that are connected to Backend firewalls.

So for point 5, how is the client redundancy maintained with regards to switch pair. Should half of the clients be connected to switchA and other half to switchB. Or should all clients be connected to switchA and switchB be left with empty ports. And whenever switchA fails, all cables be removed and connected to switchB.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 11/03/2009 - 09:28


the switch block can develop into two levels:

two distribution level devices that can be what you have named switchA and switchB.

access layer switches each with two uplinks one to SwitchA and one to switchB are deployed.

Because end user devices have only one NIC the usually accepted single point of failure is the access layer switch.

Hope to help


Jon Marshall Tue, 11/03/2009 - 11:59

As Giuseppe says a client connected with a single NIC is always going to be a single point of failure.

However in answer to your point 5, yes it would make sense to spread the clients across both switches. If your internal users are in different departments it also makes sense to spread the dept pc's across the 2 switches so no one dept is isolated if there is a switch failure.

Note that there is a lot to be said about switch/firewall redundancy, whole books have been written on those subjects, but that wasn't what you were asking.


iyde Thu, 11/05/2009 - 11:10

And in the end it all boils down to money, i.e. how much money will your company be willing to spend on duplicate switches in the access layer etc. compared to the statistical risk of switch failure and time to have a spare switch installed.

So in the end, there's no simple answer to this question. For some situations a downtime of half an hour is acceptable while it will cost tens of thousands of dollars for other companies to have a downtime for users in half an hour (perhaps exaggerated a little to make the point...).

HTH, Ingolf


This Discussion