3 site-to-site implementation plus fiber trunk link btwn site A&B LANs

Answered Question
Mar 9th, 2010
User Badges:

I have three sites A, B & C. Each site has ASA 5520 firewall with failover. site A & B has fiber link trunk between the two LANs

behind the firewall. A & B has their own Internet route. Site C has one firewall, one 3750 switch and two T-1 links. one T1 point to site A and other to site B. Site C will have two VLANs and each VLAN will belong to site A and other to site B VLAN.  My boss wanted site A & B to talk to each other via the trunk link between them. If the trunk link between A&B failed, traffic should routed to A&B tunnel.  Site A has 3 Cisco 3750s and 3 for site B.He wanted each switch to have  physical connection to the firewall in case one switch goes down the others should resume normal functions.I plan on layer 3 switching but each switch must physically connect to ASA5520 got me researching various designs.

My questions are:

Can a tracking function work on ASA5520 tunnel between site A&B?

Should I implemented a separate layer 3 switching for site A&B? or put them in one L#3 and one VTP domain or separate them?

also, adding EIGRP as routing protocol will help?

Also ASA5520 failover-should I go for active/standby or VRRP or GLBP?


Thank you very much for reading this post and your best possible advise. 


Thanks,

Eric


Correct Answer by Ganesh Hariharan about 7 years 3 months ago

I found the solution to my LAN design. There will be two redundant L3 switches for each site.

1. Client switch--->Primary L3 switch--->primary-Firewall-->WAN.

2. Client switch--->Secondary L3 switch--->secondary-Firewall--->WAN


No need to connect all switches to the firewall physically. If one redundant switch goes down the second switch sync in. I will be using SVI config please your input and best configurations.


Thanks,

Eric

Hi Eric,


Always a good desgin if go for redundacny at every level and in above post you have designed the same,so from configuration pure l2 vlan configuration at access client switches then create svi for all vlans to route the traffic for inter vlan routing at L3 level and dropa default route towards firewall interface where you can deploy rules and restriction for traffci coming inside and going outside the site from your local lans and ofcoarse need to drop a default route towards WAN facing routers local end.


Check out the below link hope that help


http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml


Remember to rate the helpful post


Ganesh.H

Correct Answer by Ganesh Hariharan about 7 years 3 months ago

Thank you very much Ganeshh for your advised. I am in process of network design and will post them as soon as it is complete. Any idea for site A&B LAN design?


Thanks,

Eric


Hi Eric,


For Lan designing it all depends on the traffic a site taking in or out and users strength at each site.On these basis we can design a basis of LAN designing by segregating user LAN,mgt and vip lan so that they are different boardcast domain.With host connected to switches as access layer and routing logic is done at L3 level makes a simple desigin in between firewall residing to give security to data coming in or out from the site.


Just consider the simple ex:- hope to help !!


Host ---- Access switch---firewall ---- Router -- WAN


Remember to rate the helpful post


Ganesh.H

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Ganesh Hariharan Tue, 03/09/2010 - 22:43
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

I have three sites A, B & C. Each site has ASA 5520 firewall with failover. site A & B has fiber link trunk between the two LANs

behind the firewall. A & B has their own Internet route. Site C has one firewall, one 3750 switch and two T-1 links. one T1 point to site A and other to site B. Site C will have two VLANs and each VLAN will belong to site A and other to site B VLAN.  My boss wanted site A & B to talk to each other via the trunk link between them. If the trunk link between A&B failed, traffic should routed to A&B tunnel.  Site A has 3 Cisco 3750s and 3 for site B.He wanted each switch to have physical connection to the firewall in case one switch goes down the others should resume normal functions.I plan on layer 3 switching but each switch must physically connect to ASA5520 got me researching various designs.

My questions are:

Can a tracking function work on ASA5520 tunnel between site A&B?

Should I implemented a separate layer 3 switching for site A&B? or put them in one L#3 and one VTP domain or separate them?

also, adding EIGRP as routing protocol will help?

Also ASA5520 failover-should I go for active/standby or VRRP or GLBP?


Thank you very much for reading this post and your best possible advise. 


Thanks,

Eric


Hi Eric,


ASA/Pix can be configured to tracking check out the below link for further information


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml#route_removed


EIGRP can be prefered as it is the fastest convergence protocol and if all devices are cisco and for failover configuration in ASA if not that much amount of traffic is coming from sites then active/standby will be ok.


and if you can provide the diagramtic setup and highlights the query we can suggests further for your query.



Hope to Help !!


Ganesh.H

Eric Boadu Wed, 03/10/2010 - 03:54
User Badges:

Thank you very much Ganeshh for your advised. I am in process of network design and will post them as soon as it is complete. Any idea for site A&B LAN design?


Thanks,

Eric

Correct Answer
Ganesh Hariharan Wed, 03/10/2010 - 04:08
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Thank you very much Ganeshh for your advised. I am in process of network design and will post them as soon as it is complete. Any idea for site A&B LAN design?


Thanks,

Eric


Hi Eric,


For Lan designing it all depends on the traffic a site taking in or out and users strength at each site.On these basis we can design a basis of LAN designing by segregating user LAN,mgt and vip lan so that they are different boardcast domain.With host connected to switches as access layer and routing logic is done at L3 level makes a simple desigin in between firewall residing to give security to data coming in or out from the site.


Just consider the simple ex:- hope to help !!


Host ---- Access switch---firewall ---- Router -- WAN


Remember to rate the helpful post


Ganesh.H

Eric Boadu Wed, 03/10/2010 - 04:50
User Badges:

Ganeshh, Thanks again, should site A  & B have their own layer 3 routing switch and if so how about the trunk between them? Should site A & B be in the VTP domain or seperate and how to make sure traffic route between A&B via the trunk and tunnel as backup?


Thanks,

Eric

Ganesh Hariharan Wed, 03/10/2010 - 07:13
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Ganeshh, Thanks again, should site A  & B have their own layer 3 routing switch and if so how about the trunk between them? Should site A & B be in the VTP domain or seperate and how to make sure traffic route between A&B via the trunk and tunnel as backup?


Thanks,

Eric


Hi Eric,


I would recommend that both sites should have separate L3 routing it will be helpful for you in troubleshooting purpose in future,Like what i mean to say site's has it's own vtp domain configuration and vlan are managed locally at sites and as both the sites are connected via link (LL,MPLS or FR) so just route the site A subnet to wards sites B and vice versa using static routing protocol or dynamic as suggested EIGRP can be one of the choice.


and check out the below link for backup configuration in routers.


http://ardenpackeer.com/ios-features-management/tutorial-how-to-set-up-backup-interfaces/


Hope to Help !!


Ganesh.H

Eric Boadu Wed, 03/10/2010 - 09:34
User Badges:

thank you very much Ganeshh! one last question: also is it necessarry to connect the cleint switch to the ASA firewall beside L3 switch. Example:

Client switch----Layer 3 switch--(InterVLAN)---ASA Firewall---WAN --Internet. or  two connects from client switch one going to L3 switch and other to ASA?


thx,

Eric

Ganesh Hariharan Wed, 03/10/2010 - 09:44
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

thank you very much Ganeshh! one last question: also is it necessarry to connect the cleint switch to the ASA firewall beside L3 switch. Example:

Client switch----Layer 3 switch--(InterVLAN)---ASA Firewall---WAN --Internet. or  two connects from client switch one going to L3 switch and other to ASA?


thx,

Eric



Hi Eric,


That depends once again if you want traffic from vlan to vlan should also get passed through firewall and with access and restriction would be controlled on firewall based on zone traffic.In that case firewall will be doing routing between the zones.


Like Access switch (Vlan 10) ----(Vlan 10 Zone)--ASA---(Vlan 20 Zone)----Access switch (Vlan 20) and traffic from ASA towards outside world via default route or dynamic.


Hope to Help !!


Remember to rate the helpful post


Ganesh.H

Eric Boadu Wed, 03/10/2010 - 10:03
User Badges:

thanks this idea was incase L3 switch goes down then what will

happen to the client switch? thx

Eric Boadu Wed, 03/10/2010 - 12:19
User Badges:

My design will include L3 switch for example: client switches---L3 switch --- firewall -- WAN. Any possible idea if L3 switch (Inter-VLAN) goes down how the rest of the client switches route traffic to the firewall -- WAN? Thanks, Eric

Eric Boadu Wed, 03/10/2010 - 13:19
User Badges:

I found the solution to my LAN design. There will be two redundant L3 switches for each site.

1. Client switch--->Primary L3 switch--->primary-Firewall-->WAN.

2. Client switch--->Secondary L3 switch--->secondary-Firewall--->WAN


No need to connect all switches to the firewall physically. If one redundant switch goes down the second switch sync in. I will be using SVI config please your input and best configurations.


Thanks,

Eric

Correct Answer
Ganesh Hariharan Wed, 03/10/2010 - 22:39
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

I found the solution to my LAN design. There will be two redundant L3 switches for each site.

1. Client switch--->Primary L3 switch--->primary-Firewall-->WAN.

2. Client switch--->Secondary L3 switch--->secondary-Firewall--->WAN


No need to connect all switches to the firewall physically. If one redundant switch goes down the second switch sync in. I will be using SVI config please your input and best configurations.


Thanks,

Eric

Hi Eric,


Always a good desgin if go for redundacny at every level and in above post you have designed the same,so from configuration pure l2 vlan configuration at access client switches then create svi for all vlans to route the traffic for inter vlan routing at L3 level and dropa default route towards firewall interface where you can deploy rules and restriction for traffci coming inside and going outside the site from your local lans and ofcoarse need to drop a default route towards WAN facing routers local end.


Check out the below link hope that help


http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml


Remember to rate the helpful post


Ganesh.H

Eric Boadu Thu, 03/11/2010 - 06:07
User Badges:

thank you very Ganeshh for the link. Now, I am planing to design and scripting config for each device and verify for sure all will work before actual production. I am designing the LAN right now and will let you know the outcome. You have help me a lot and thank you so much if there is additional info please send me the link.


Thanks,

Eric, 

Eric Boadu Thu, 03/11/2010 - 06:10
User Badges:

I wanna rate this to the highist but don't seem to have the link

Actions

This Discussion