Failover between routers

Answered Question
Jan 9th, 2010

Hello,

Pls find the attached diagram,

I want to route traffic to web server I'm using static routes pointing to a respective next-hop on a particular router,the devices on customer end  firewall is ASA, customer has asked for the prefered interface from firewall-1, i have configured that by increasing the local preference of the route

The link between the distribution switches and the core is MPLS and the customer is configured in the VRF.

Now the issue is:

customer  says that when the firewall-1 fails firewall-2 will be active by the same inside interface IP of firewall-1, if it so then all the traffic destined to web server from switch -2 to a next-hop 10.28.50.42 will drop,so in this situation what techniques we shld apply,

Any link or book which will help me.

I have ZERO expanded knowledge of firewall only basic.

Thanks

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 6 years 11 months ago

Hello Andy,

unfortunately the common IP subnet is a need for this failover scenarios: because the standby device has to take the same IP address of active one they must be in the same IP subnet.

I can say we have multilayer switches acting as PE nodes and with connections to firewalls.

If your devices are routers you would need to deploy two lan switches in the middle with a L2 trunk between them.

But they look like to be multilayer switches.

remove routed ports and give the IP address to an SVI VlanX , you can put the SVI under VRF we do this commonly.

the routed port becomes a switchport, access port in vlan X

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Sat, 01/09/2010 - 04:41

Hello Andy,

if the firewall pair is an active/standby

>> customer  says that when the firewall-1 fails firewall-2 will be active by the same inside interface IP of firewall-1,

this is correct the new active firewall takes the same IP address that was on active.

This means that you need to use as IP next-hop only the IP address of active firewall.

This is the way we handle static routes to an active/standby firewall pair using only active IP address as next-hop.

Both routers need the same IP static route using the same IP next-hop.

In case of failover new active ASA sends a gratuitous ARP to update ARP entry on routers.

There is also an active/active failover strategy but this doesn't look like to apply to your case.

Hope to help

Giuseppe

thomasandy32 Sat, 01/09/2010 - 05:09

Hello Giuseppe,

thanks for ur immediate response,

But the IP address configured on switch-2 interface  is 10.28.50.41 255.255.255.248.

i shld remove the static route 10.10.10.1 255.255.255.240 10.28.50.42  AND i shld use 10.10.10.1 255.255.255.240 10.28.50.34 ,

But it is strange for me how the traffic will be routed can you explain me,

Suppose the packet destined for webserver comes on switch-2 how he will find the next-hop 10.28.50.33 though it does'nt have any active interface of this subnet.?????.

Giuseppe Larosa Sat, 01/09/2010 - 05:19

Hello Andy,

your note is correct.

the network design has to be reviewed to share a common IP subnet/vlan between the two firewalls and the distribution switches. A L2 trunk between the two switches can do this job.

Sorry for not having seen this in the diagram. Again this is what we do on multilayer switches and it is valid for external firewalls and for internal FWSM blades as well.

Hope to help

Giuseppe

thomasandy32 Sat, 01/09/2010 - 05:31

Hello Giuseppe,

Any other alternate soluiton can u advice me instead of connecting 2 distribution PE routers with a trunk and a same IP subnet.

Thanks.

Correct Answer
Giuseppe Larosa Sat, 01/09/2010 - 07:57

Hello Andy,

unfortunately the common IP subnet is a need for this failover scenarios: because the standby device has to take the same IP address of active one they must be in the same IP subnet.

I can say we have multilayer switches acting as PE nodes and with connections to firewalls.

If your devices are routers you would need to deploy two lan switches in the middle with a L2 trunk between them.

But they look like to be multilayer switches.

remove routed ports and give the IP address to an SVI VlanX , you can put the SVI under VRF we do this commonly.

the routed port becomes a switchport, access port in vlan X

Hope to help

Giuseppe

thomasandy32 Sat, 01/09/2010 - 08:29

Hello Giuseppe,

My distribution switches are 6500 so by ur below mail what i understand is,

Distribution 1

int vlan 23

ip add 10.28.50.33 255.255.255.240

ip vrf forwarding A

The firewall-1 ip address will 10.28.50.34

int gig2/48

no sw

sw tr en dot1q

sw mo trunk

Distribution-2

int vlan 23

ip add 10.28.50.35 255.255.255.240

ip vrf forwarding A

The firewall-2 ip address will 10.28.50.36

int gig2/48

no sw

sw tr en dot1q

sw mo trunk

Now the interface are all in same vlan , pls confirm the configs,To go head and configure.

Thanks

Giuseppe Larosa Sat, 01/09/2010 - 08:38

Hello Andy,

the ports toward the firewall are placed in vlan 23

int gix/y

switchport

switchport mode access

switchport access vlan 23

the trunk is between the two C6500 and should allow vlan 23.

Ideally you should deploy an etherchannel made of two GE for redundancy

to provide redundancy to firewalls an HSRP group can be deployed

so add to SVI on both C6500

int vlan23

ip address 10.28.50.37 255.255.255.240

standby 23 ip 10.28.50.33

standby 23 pri 105

standby 23 preempt

on second c6500

int vlan23

ip address 10.28.50.35 255.255.255.240

standby 23 ip 10.28.50.33

standby 23 pri 100

standby 23 preempt

so firewall has to use as next-hop for its static route 10.28.50.33 that is the HSRP VIP.

1 ip address used by VIP, 1 address used by each 6500, 1 ip address for each ASA: five addresses are needed

C6500 nodes  use as next-hop the ip address of active ASA firewall.

Hope to help

Giuseppe

thomasandy32 Sat, 01/09/2010 - 09:04

Thank

Appreciate ur expierience and patients,

I will apply the configs and i will back to you by tomorrow.

Thanks for ur reply.

thomasandy32 Sun, 01/10/2010 - 21:41

Hello,

Customer has came with alternate solution on his end without changing subnet between the firewall and PE router's.I have a dou'bt whether it will work or not???

Please find the attached visio diagram.

He connected a switch in between firewall and PE routers and configured a firewall vlan on  the switch"vlan 34". All 6 ports are in vlan 34, and also he has configured IP SLA ,tracking my distribution switch-1 Ip address as soon as the link between distribution switch-1 and Active firewall fail's ,the firewall will switchover the traffic to 10.28.50.41 with a source Ip of 10.28.50.42.He has configured 2 static routes with Administrative distance high for the distribution-switch-2.

Is it these configs will work????????????????????????????????????


Thanks,

Giuseppe Larosa Mon, 01/11/2010 - 03:12

Hello Andy,

the first important objection to this design is the following:

that L2 switch is a single point of failure: if it fails no communication is possible with a waste of 4 devices: two multilayer switches and two firewalls!!

second note: introducing this device in the middle is dangerous because it causes that if a PE fails for example the ASA cannot detect it.

even if it is a layer2 switch it only causes problems.

Of course missing direct connections with PE nodes then IP SLA are needed on the ASA  to track availability of your devices.

But  HSRP is there to provide a default VIP to be used as reliable always-on next-hop IP address for static routes on ASA.

The best solution is the schema that we were discussing there is no single point of failure and it is a dramatic difference.

if one ASA or one PE switch fails the schema we have discussed still work.

the schema proposed by your customer introduces a single point of failure.

And causes a need for a more complex configuration (the IP SLA to track ip next-hops on PE switches).

I see only disadvantages on it as I think you see too.

Or the customer  puts two switches in the picture or this solution is not acceptable.

Hope to help

Giuseppe

thomasandy32 Mon, 01/11/2010 - 05:48

Hello Giuseppe,

Or the customer  puts two switches in the picture or this solution is not acceptable.

Sorry,I missed in visio diagram,he has 2 No's 4500 L3 core switches,in between firewall and PE routers and 2 links from each firewall to each core switches,

i have read the IP SLA configuration guide,

http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/12_2sx/sla_12_2sx_book.html.

If I'm not wrong he may be approaching ICMP path Echo operation  OR  ICMP Echo operation IP SLA. But Giuseppe how the IP SLA works there is no such track command like HSRP,, how does it find's the interface which goes down and how IP SLA will remove the static route.

I Guess with the below command correct if am not wrong????

icmp-echo {destination-ip-address |
destination-hostname} [source-ip {ip-address |
hostname} | source-interface interface-name]

Thanks for ur reply.

Giuseppe Larosa Mon, 01/11/2010 - 06:03

Hello Andy,


the IP SLA can be used to create a track object that is associated to the static route when it is configured

see

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1090243

this shows the configuration of reliable static routing with object tracking on ASA version 8.0.

for reliable static routing on routers and multilayer switches see

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

However, all this is not needed if the firewalls were directly connected to the PE nodes for this I've written of increased complexity.

What I mean is :

if you follow my schema the IP next-hop of static routes on firewalls is the HSRP VIP offered by the two PE nodes.

With HSRP there is no need to track anything, because the VIP is alive until one PE is alive.

This can be done also by using the two customer switches if they provide L2 services (= a common vlan)  and they have that L2 trunk between them.

I'm not sure that having each ASA connected to both switches can be a benefit unless second interface is the failover interface.

Hope to help

Giuseppe

thomasandy32 Mon, 01/11/2010 - 07:19

Hello Giuseppe,

The solution u provided me in abve mail's are perfect match for the current scenario only making things clear to convince customer,the links u posted are Excellent ,I knew what i was reading is not link to current scenario, so that's the  reason i post it.

I'm not sure that having each ASA connected to both switches can be a benefit unless second interface is the failover interface.

This is the question which is killing me , becz firewall concepts are not clear to me.And also it is not possible for firewall to have 2 outside interface's correct me if am wrong ???????? so ur imagination are perfect they may be  failover interfaces.


Thanks for ur long chain of replies.

Actions

This Discussion