Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1867
Views
7
Helpful
14
Replies

l2-l3 redundancy with failover firewall

Go to solution
JEETENDRA BAGALE
Level 1
Level 1

‎03-30-2010 12:39 PM - edited ‎03-06-2019 10:23 AM

fw1-------------------fw2
!                      !
!                      !
!                      !
!                      !
!                      !
sw1-----sw5            sw2-------sw6
! !                    ! !
! !                    ! !
! !--------------------! !
!                        !
!                        !
sw3                      sw4

pls find th above diagram

The two firewall are in Failover mode
sw1 and sw2 are connected two fw1 and fw2 respectively and they  are interconnected to each other
sw3 and sw5 are connected to sw6 AND SW4 areCONNECTED TO sw2
all switches belong to 3650(L3) family
firewall are pix535
actually this is the proposed design
The objectives to be achieve in above diagram are mentioned below
we want high availibilty design
we are planning around 10 vlans so we also want redunduncy for vlans
server active links would be terminated to sw1 sw3 and sw5
server redundant links would be terminated to sw2 sw6 and sw4
I dont want to create  vlan interface on firewall so how i could achive the above reqiurement

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to JEETENDRA BAGALE

‎03-30-2010 02:49 PM 

rajsh.sharma wrote:
thanks JON ,this had definatly clear my doubt ,can you give advice how can we make the requirements of redundancy more better than above setup .
Pls also take into consideration i will be applying access list on sw1 and sw2  between vlan communication will this increase the load on 3560 switch there would be around access list on max 16 vlan
or should i create vlan on firewall interface and kept all switches at L2  level.firewall usage is 30% max
what would you suggest

Using the firewall for inter-vlan routing is not recommended unless you have very strict security requirements. It makes the config messier and as you already have the 3560s i would use sw1 and sw2 to route between internal vlans.

Keep your acls relatively simple on the L3 switches and you should be fine.

Redudancy wise you should be fine, just make sure that you dual connect all servers. If possible don't connect servers directly into sw1/sw2 although if you have to because of port capacity then it's not the end of the world.

Jon

View solution in original post

0 Helpful
14 Replies 14

Go to solution
JEETENDRA BAGALE
Level 1
Level 1

‎03-30-2010 12:41 PM

the diagram is as follows

fw1-------------------fw2
!                      !
!                      !
!                      !
!                      !
!                      !
sw1-----sw5     sw2-------sw6
! !                    ! !
! !                    ! !
! !--------------------! !
!                        !
!                        !
sw3                   sw4

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-30-2010 12:45 PM

The two firewall are in Failover mode
sw1 and sw2 are connected two fw1 and fw2 respectively and they  are interconnected to each other

the above makes sense


sw3 and sw5 are connected to sw6 AND SW4 areCONNECTED TO sw2

this bit - not sure what is connected to what and your diagram is not coming out very well. Could you clarify ?

Is all the inter-vlan routing happening on sw1 and sw2 and are the uplinks from the other switches to sw1 and sw2 L2 trunks ?

Jon

0 Helpful

Go to solution
JEETENDRA BAGALE
Level 1
Level 1
In response to Jon Marshall

‎03-30-2010 12:58 PM

pls find the diagram in document

62823-11.txt.zip
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-30-2010 01:18 PM

Okay, thanks for the attachment.

server active links would be terminated to sw1 sw3 and sw5
server redundant links would be terminated to sw2 sw6 and sw4

Where is the inter-vlan routing for the servers ? Are sw3/sw4/sw5/sw6 acting as L2 switches only ie. they use L2 trunk links to sw1 and sw2.


Your firewall, sw1/sw2 setup is fine and is the right setup for firewall redundancy. Just not entirely sure what you are doing with the other switches ?

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

0 Helpful

Go to solution
JEETENDRA BAGALE
Level 1
Level 1
In response to Jon Marshall

‎03-30-2010 01:30 PM

iam planning to use sw1 and sw2 as l3 so intervlan routing wold be provided on sw1 and sw2 .

my confusion is if i configured hsrp on sw1 and sw2 ,at the time of the failure of vlan what will happened .

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to JEETENDRA BAGALE

‎03-30-2010 01:32 PM 

rajsh.sharma wrote:
iam planning to use sw1 and sw2 as l3 so intervlan routing wold be provided on sw1 and sw2 .
my confusion is if i configured hsrp on sw1 and sw2 ,at the time of the failure of vlan what will happened .

Could you clarify. What do you mean by a failure of a vlan ?

Jon

Go to solution
JEETENDRA BAGALE
Level 1
Level 1
In response to Jon Marshall

‎03-30-2010 01:42 PM

suppose for time being i have configured 3 vlan on sw1 and sw2 with hsrp config  such that the default gateway to the servers would be theits stand by ip .

suppose vlan2 on switch made down on sw1 so the server would be reaching via redundant link to the sw2  .at the same time our primary firewall is active then what will happen the traffic is would be pass through fw 1

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to JEETENDRA BAGALE

‎03-30-2010 02:00 PM 

rajsh.sharma wrote:
suppose for time being i have configured 3 vlan on sw1 and sw2 with hsrp config  such that the default gateway to the servers would be theits stand by ip .
suppose vlan2 on switch made down on sw1 so the server would be reaching via redundant link to the sw2  .at the same time our primary firewall is active then what will happen the traffic is would be pass through fw 1

Okay, assuming you have a dedicated vlan for the connections between the ASA firewalls and sw1 and sw2 lets say vlan 10.

So you have a server svr1 connected to sw1 and sw2. The active gateway for svr1 is sw1. The active ASA firewall is connected to sw1 as well. If the L3 vlan interface on sw1 for vlan 2 was shutdown then svr1 would then send traffic to sw2. sw2 would then route the traffic onto vlan 10 and send the traffic back across the interconnect link to sw1 which would then forward the traffic to the active ASA.

If sw1 totally failed then all servers would use sw2. The ASAs would also failover because sw1 failed so it would still work.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

0 Helpful

Go to solution
JEETENDRA BAGALE
Level 1
Level 1
In response to Jon Marshall

‎03-30-2010 02:25 PM

thanks for reply for more clarification

lets go with the ip address

if the fw1 and fw2 is configured with 10.1.7.1 and stanby as 10.1.7.2

let say vlan 7 would be the default vlan on sw1 and sw2 and whose ip address would be 10.1.7.4 and 10.1.7.5

we have created 3 vlan on sw1 and sw2 resp
vlan 8
vlan 9
vlan 10

whose default gateway would be 10.1.8.1 10.1.9.1and 10.1.10.1 and we will be using hsrp


suppose we have connected one server 10.1.8.15(whose active link woul be on sw 3 ad sw 4 respectivly

and i have made the vlan 8 on sw 1 what will be the workflow or packet flow

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to JEETENDRA BAGALE

‎03-30-2010 02:34 PM 

rajsh.sharma wrote:
thanks for reply for more clarification
lets go with the ip address
if the fw1 and fw2 is configured with 10.1.7.1 and stanby as 10.1.7.2
let say vlan 7 would be the default vlan on sw1 and sw2 and whose ip address would be 10.1.7.4 and 10.1.7.5
we have created 3 vlan on sw1 and sw2 resp
vlan 8
vlan 9
vlan 10
whose default gateway would be 10.1.8.1 10.1.9.1and 10.1.10.1 and we will be using hsrp

suppose we have connected one server 10.1.8.15(whose active link woul be on sw 3 ad sw 4 respectivly
and i have made the vlan 8 on sw 1 what will be the workflow or packet flow

Okay. You would need an HSRP VIP for vlan 7 on sw1/sw2 eg. lets say 10.7.1.5.  On the ASA you would have routes for vlan 8,9 &10 on the ASA -

route (inside) 10.7.1.5

etc..


server 10.1.8.15 = svr1

active link is on sw3 which is connected to sw1.

svr1 sends packet to ASA. svr1 looks sends it's packet to it's default-gateway on sw1.

1) packet goes from svr1 to sw3.

2) sw3 switches packet at L2 to sw1

3) sw1 routes the packet onto vlan 7 and sends it to the active ASA - 10.7.1.1

return traffic -

4) ASA sends traffic for svr1 back to 10.7.1.5 which is the HSRP active gateway for vlan 7 on sw1.

5) sw1 routes the packet onto vlan 8 and sends the packet to sw3

6) sw3 sends the packet to svr1

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Go to solution
JEETENDRA BAGALE
Level 1
Level 1
In response to Jon Marshall

‎03-30-2010 02:44 PM

thanks JON ,this had definatly clear my doubt ,can you give advice how can we make the requirements of redundancy more better than above setup .

Pls also take into consideration i will be applying access list on sw1 and sw2  between vlan communication will this increase the load on 3560 switch there would be around access list on max 16 vlan

or should i create vlan on firewall interface and kept all switches at L2  level.firewall usage is 30% max

what would you suggest

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to JEETENDRA BAGALE

‎03-30-2010 02:49 PM 

rajsh.sharma wrote:
thanks JON ,this had definatly clear my doubt ,can you give advice how can we make the requirements of redundancy more better than above setup .
Pls also take into consideration i will be applying access list on sw1 and sw2  between vlan communication will this increase the load on 3560 switch there would be around access list on max 16 vlan
or should i create vlan on firewall interface and kept all switches at L2  level.firewall usage is 30% max
what would you suggest

Using the firewall for inter-vlan routing is not recommended unless you have very strict security requirements. It makes the config messier and as you already have the 3560s i would use sw1 and sw2 to route between internal vlans.

Keep your acls relatively simple on the L3 switches and you should be fine.

Redudancy wise you should be fine, just make sure that you dual connect all servers. If possible don't connect servers directly into sw1/sw2 although if you have to because of port capacity then it's not the end of the world.

Jon

0 Helpful

Go to solution
JEETENDRA BAGALE
Level 1
Level 1
In response to Jon Marshall

‎03-30-2010 02:59 PM

Thanks Very much JON

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to JEETENDRA BAGALE

‎03-30-2010 03:18 PM

No problem, glad to have helped and thanks for the rating.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card