cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
853
Views
0
Helpful
13
Replies

3 site-to-site implementation plus fiber trunk link btwn site A&B LANs

Eric Boadu
Level 1
Level 1

I have three sites A, B & C. Each site has ASA 5520 firewall with failover. site A & B has fiber link trunk between the two LANs

behind the firewall. A & B has their own Internet route. Site C has one firewall, one 3750 switch and two T-1 links. one T1 point to site A and other to site B. Site C will have two VLANs and each VLAN will belong to site A and other to site B VLAN.  My boss wanted site A & B to talk to each other via the trunk link between them. If the trunk link between A&B failed, traffic should routed to A&B tunnel.  Site A has 3 Cisco 3750s and 3 for site B.He wanted each switch to have  physical connection to the firewall in case one switch goes down the others should resume normal functions.I plan on layer 3 switching but each switch must physically connect to ASA5520 got me researching various designs.

My questions are:

Can a tracking function work on ASA5520 tunnel between site A&B?

Should I implemented a separate layer 3 switching for site A&B? or put them in one L#3 and one VTP domain or separate them?

also, adding EIGRP as routing protocol will help?

Also ASA5520 failover-should I go for active/standby or VRRP or GLBP?

Thank you very much for reading this post and your best possible advise. 

Thanks,

Eric

2 Accepted Solutions

Accepted Solutions

Thank you very much Ganeshh for your advised. I am in process of network design and will post them as soon as it is complete. Any idea for site A&B LAN design?

Thanks,

Eric

Hi Eric,

For Lan designing it all depends on the traffic a site taking in or out and users strength at each site.On these basis we can design a basis of LAN designing by segregating user LAN,mgt and vip lan so that they are different boardcast domain.With host connected to switches as access layer and routing logic is done at L3 level makes a simple desigin in between firewall residing to give security to data coming in or out from the site.

Just consider the simple ex:- hope to help !!

Host ---- Access switch---firewall ---- Router -- WAN

Remember to rate the helpful post

Ganesh.H

View solution in original post

I found the solution to my LAN design. There will be two redundant L3 switches for each site.

1. Client switch--->Primary L3 switch--->primary-Firewall-->WAN.

2. Client switch--->Secondary L3 switch--->secondary-Firewall--->WAN

No need to connect all switches to the firewall physically. If one redundant switch goes down the second switch sync in. I will be using SVI config please your input and best configurations.

Thanks,

Eric

Hi Eric,

Always a good desgin if go for redundacny at every level and in above post you have designed the same,so from configuration pure l2 vlan configuration at access client switches then create svi for all vlans to route the traffic for inter vlan routing at L3 level and dropa default route towards firewall interface where you can deploy rules and restriction for traffci coming inside and going outside the site from your local lans and ofcoarse need to drop a default route towards WAN facing routers local end.

Check out the below link hope that help

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

Remember to rate the helpful post

Ganesh.H

View solution in original post

13 Replies 13

Ganesh Hariharan
VIP Alumni
VIP Alumni

I have three sites A, B & C. Each site has ASA 5520 firewall with failover. site A & B has fiber link trunk between the two LANs

behind the firewall. A & B has their own Internet route. Site C has one firewall, one 3750 switch and two T-1 links. one T1 point to site A and other to site B. Site C will have two VLANs and each VLAN will belong to site A and other to site B VLAN.  My boss wanted site A & B to talk to each other via the trunk link between them. If the trunk link between A&B failed, traffic should routed to A&B tunnel.  Site A has 3 Cisco 3750s and 3 for site B.He wanted each switch to have physical connection to the firewall in case one switch goes down the others should resume normal functions.I plan on layer 3 switching but each switch must physically connect to ASA5520 got me researching various designs.

My questions are:

Can a tracking function work on ASA5520 tunnel between site A&B?

Should I implemented a separate layer 3 switching for site A&B? or put them in one L#3 and one VTP domain or separate them?

also, adding EIGRP as routing protocol will help?

Also ASA5520 failover-should I go for active/standby or VRRP or GLBP?

Thank you very much for reading this post and your best possible advise. 

Thanks,

Eric

Hi Eric,

ASA/Pix can be configured to tracking check out the below link for further information

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml#route_removed

EIGRP can be prefered as it is the fastest convergence protocol and if all devices are cisco and for failover configuration in ASA if not that much amount of traffic is coming from sites then active/standby will be ok.

and if you can provide the diagramtic setup and highlights the query we can suggests further for your query.

Hope to Help !!

Ganesh.H

Thank you very much Ganeshh for your advised. I am in process of network design and will post them as soon as it is complete. Any idea for site A&B LAN design?

Thanks,

Eric

Thank you very much Ganeshh for your advised. I am in process of network design and will post them as soon as it is complete. Any idea for site A&B LAN design?

Thanks,

Eric

Hi Eric,

For Lan designing it all depends on the traffic a site taking in or out and users strength at each site.On these basis we can design a basis of LAN designing by segregating user LAN,mgt and vip lan so that they are different boardcast domain.With host connected to switches as access layer and routing logic is done at L3 level makes a simple desigin in between firewall residing to give security to data coming in or out from the site.

Just consider the simple ex:- hope to help !!

Host ---- Access switch---firewall ---- Router -- WAN

Remember to rate the helpful post

Ganesh.H

Ganeshh, Thanks again, should site A  & B have their own layer 3 routing switch and if so how about the trunk between them? Should site A & B be in the VTP domain or seperate and how to make sure traffic route between A&B via the trunk and tunnel as backup?

Thanks,

Eric

Ganeshh, Thanks again, should site A  & B have their own layer 3 routing switch and if so how about the trunk between them? Should site A & B be in the VTP domain or seperate and how to make sure traffic route between A&B via the trunk and tunnel as backup?

Thanks,

Eric

Hi Eric,

I would recommend that both sites should have separate L3 routing it will be helpful for you in troubleshooting purpose in future,Like what i mean to say site's has it's own vtp domain configuration and vlan are managed locally at sites and as both the sites are connected via link (LL,MPLS or FR) so just route the site A subnet to wards sites B and vice versa using static routing protocol or dynamic as suggested EIGRP can be one of the choice.

and check out the below link for backup configuration in routers.

http://ardenpackeer.com/ios-features-management/tutorial-how-to-set-up-backup-interfaces/

Hope to Help !!

Ganesh.H

thank you very much Ganeshh! one last question: also is it necessarry to connect the cleint switch to the ASA firewall beside L3 switch. Example:

Client switch----Layer 3 switch--(InterVLAN)---ASA Firewall---WAN --Internet. or  two connects from client switch one going to L3 switch and other to ASA?

thx,

Eric

thank you very much Ganeshh! one last question: also is it necessarry to connect the cleint switch to the ASA firewall beside L3 switch. Example:

Client switch----Layer 3 switch--(InterVLAN)---ASA Firewall---WAN --Internet. or  two connects from client switch one going to L3 switch and other to ASA?

thx,

Eric

Hi Eric,

That depends once again if you want traffic from vlan to vlan should also get passed through firewall and with access and restriction would be controlled on firewall based on zone traffic.In that case firewall will be doing routing between the zones.

Like Access switch (Vlan 10) ----(Vlan 10 Zone)--ASA---(Vlan 20 Zone)----Access switch (Vlan 20) and traffic from ASA towards outside world via default route or dynamic.

Hope to Help !!

Remember to rate the helpful post

Ganesh.H

thanks this idea was incase L3 switch goes down then what will

happen to the client switch? thx

My design will include L3 switch for example: client switches---L3 switch --- firewall -- WAN. Any possible idea if L3 switch (Inter-VLAN) goes down how the rest of the client switches route traffic to the firewall -- WAN? Thanks, Eric

I found the solution to my LAN design. There will be two redundant L3 switches for each site.

1. Client switch--->Primary L3 switch--->primary-Firewall-->WAN.

2. Client switch--->Secondary L3 switch--->secondary-Firewall--->WAN

No need to connect all switches to the firewall physically. If one redundant switch goes down the second switch sync in. I will be using SVI config please your input and best configurations.

Thanks,

Eric

I found the solution to my LAN design. There will be two redundant L3 switches for each site.

1. Client switch--->Primary L3 switch--->primary-Firewall-->WAN.

2. Client switch--->Secondary L3 switch--->secondary-Firewall--->WAN

No need to connect all switches to the firewall physically. If one redundant switch goes down the second switch sync in. I will be using SVI config please your input and best configurations.

Thanks,

Eric

Hi Eric,

Always a good desgin if go for redundacny at every level and in above post you have designed the same,so from configuration pure l2 vlan configuration at access client switches then create svi for all vlans to route the traffic for inter vlan routing at L3 level and dropa default route towards firewall interface where you can deploy rules and restriction for traffci coming inside and going outside the site from your local lans and ofcoarse need to drop a default route towards WAN facing routers local end.

Check out the below link hope that help

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

Remember to rate the helpful post

Ganesh.H

thank you very Ganeshh for the link. Now, I am planing to design and scripting config for each device and verify for sure all will work before actual production. I am designing the LAN right now and will let you know the outcome. You have help me a lot and thank you so much if there is additional info please send me the link.

Thanks,

Eric, 

I wanna rate this to the highist but don't seem to have the link

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: