Fully Redundant Network

Unanswered Question
Apr 20th, 2010

Hello everyone,

I have some rack space in a colo and would like to know if what I have in mind is actually correct and perhaps if there is a better way to do it.

I want to setup full redundancy in terms of the LAN and WAN. I have 2 drops from the datacenter for redundant internet connection.

I have 2 managed dell switches (cisco oem from what i understand) and 2 ASA 5505's.

I have just a simple ESX environment and my boxes have NIC Teaming setup already, which seems to be the ideal configuration for redundant network.

I plan to have 2 VLan's, 1 for WAN and 1 for LAN on each switch (2 total).

I understand that I will want to have HSRP setup, but I am not sure how to go about that or if the 5505 is even able to do HSRP.

So I will have just 1 subnet and just have all servers and SAN connected to 2 switches and each ASA on 1 switch with HSRP, sound right?

It sounds like i need hsrp for both wan and lan.

Did i forget anything? Thanks a ton for all the help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
ganeshh.iyer Mon, 04/26/2010 - 04:18

Hello everyone,

I have some rack space in a colo and would like to know if what I have in mind is actually correct and perhaps if there is a better way to do it.

I want to setup full redundancy in terms of the LAN and WAN. I have 2 drops from the datacenter for redundant internet connection.

I have 2 managed dell switches (cisco oem from what i understand) and 2 ASA 5505's.

I have just a simple ESX environment and my boxes have NIC Teaming setup already, which seems to be the ideal configuration for redundant network.

I plan to have 2 VLan's, 1 for WAN and 1 for LAN on each switch (2 total).

I understand that I will want to have HSRP setup, but I am not sure how to go about that or if the 5505 is even able to do HSRP.

So I will have just 1 subnet and just have all servers and SAN connected to 2 switches and each ASA on 1 switch with HSRP, sound right?

It sounds like i need hsrp for both wan and lan.

Did i forget anything? Thanks a ton for all the help!

Hi,

It will be helpful if you can provide the scehmatic diagram of the current setup and we can guide the best design with the expected one any how what i have understand with the above comments is you have two internet links with two routers,two switches,two ASA5505 and all servers are having two NIC with teamiung configured.

To have simple redudant network configure two vlans in switches one with external where your router and ASA 5505 interface will be connected and anothere with local lan where another port of ASA 5505 will be connected an will act as gateway for local servers.

To have redundancy for internet links alos configure HSRP in router local interface with tracking configuration so that one links goes down traffic will be shifted to other one without any delay,for that you need to configure a defualt route towards the vip of HSRP of router in ASA 5505.

Check out the below link on HSRP with tracking configuration on routers

http://www.networkstraining.com/cisco-router-hsrp-configuration/

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8c.shtml

and on ASA 5505 you need to configure two vlan as mentioned and for local and external interface configure a cluster setup with HSRP in ASA 5505

Check out the below link for ASA 5505

http://www.articlesbase.com/networks-articles/stepbystep-configuration-guide-for-the-cisco-asa-5505-firewall-803076.html

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/asacfgIX.html

Hope to Help !!

Remember to rate the helpful post

Ganesh.H

MightyMax1 Mon, 04/26/2010 - 11:47

Here is my diagram. I hope this helps to further clarify what I am trying to acheive.

Does the ASA 5505 support HSRP? I have read in a forum (unofficial forum that is) that hsrp is not supported on the 5505 and stateful failover is also not supported and redundant interface also not supported, which if true is a problem for me, but I will have to address that later if so.

I assume I should use the same subnet across both physical networks, seems that if I didn't that I would be adding a nightmare of complexity to my setup, which I want to obviously keep as simple as possible, but 100% functional. Is plugging in the ASA's like I have in my diagram going to be an issue? Will plugging into an unused interface still allow me to contact the inside ip of the ASA (I assume yes, but I don't like assuming, I like being certain)?

The idea here is that any peice of hardware can completely die and I won't suffer any downtime.

If drop1 were to go down, say my isp does a switch reset or a firmware update, is that a scenario that would cause the standy to take over and allow traffic to then flow over drop2? I am assuming yes, but want to be absolutley certain.

I am not really worried about doing any sort of load balancing, I am only concerned about redundancy and non interrupting failover.

Thanks!

ganeshh.iyer Mon, 04/26/2010 - 23:45

Does the ASA 5505 support HSRP? I have read in a forum (unofficial forum that is) that hsrp is not supported on the 5505 and stateful failover is also not supported and redundant interface also not supported, which if true is a problem for me, but I will have to address that later if so.

I assume I should use the same subnet across both physical networks, seems that if I didn't that I would be adding a nightmare of complexity to my setup, which I want to obviously keep as simple as possible, but 100% functional. Is plugging in the ASA's like I have in my diagram going to be an issue? Will plugging into an unused interface still allow me to contact the inside ip of the ASA (I assume yes, but I don't like assuming, I like being certain)?

The idea here is that any peice of hardware can completely die and I won't suffer any downtime.

If drop1 were to go down, say my isp does a switch reset or a firmware update, is that a scenario that would cause the standy to take over and allow traffic to then flow over drop2? I am assuming yes, but want to be absolutley certain.

I am not really worried about doing any sort of load balancing, I am only concerned about redundancy and non interrupting failover.

Thanks!

Hi,

Check out the below link for ASA for Active/Standby configuration that will be well suited for your configuration

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

MightyMax1 Fri, 04/30/2010 - 11:36

I have gotten further into my test setup and now have a few new questions.

I have my ASAs in A/S and my Switches have 2 VLans configured.

See this new diagram for more details on my setup.

I am only guessing on the Datacenter network design, but they did confirm I have level2 access between the 2 ASAs over the 2 drops they have provisioned me.

My first question is this, when the standby takes over the active role in my tests, when the active recovers from a test failure (pulling the power plug) it remains the standby and never assumes active until a new failover event is triggered. Is this by design or is there a method to cause the primary to re assume the active role once it has recovered?

My second question is related to Spanning Tree and NIC Teaming. I have 2 HP servers with the VMWare ESX Hyper Visor installed and configured to do NIC Teaming. My question is, will Spanning Tree actually prevent NIC Teaming from functioning properly? I think it will at the very least eliminate the possibilty to load balance using the NIC Teaming, but I could have this all wrong.

So assuming this current design, does anyone see any issues?

My only complaint right now is the failover times for all events. rSTP seems to still take far too long in most events, up to 2 minutes even. ASA failover is about 15s and so I would like any failover event to occur both automatically and maybe this is wishful thinking, but a little faster, say <5s.

That's it for now, and as always, any advice is greatly welcomed.

Thanks!

ganeshh.iyer Sun, 05/02/2010 - 23:20

I am only guessing on the Datacenter network design, but they did confirm I have level2 access between the 2 ASAs over the 2 drops they have provisioned me.

My first question is this, when the standby takes over the active role in my tests, when the active recovers from a test failure (pulling the power plug) it remains the standby and never assumes active until a new failover event is triggered. Is this by design or is there a method to cause the primary to re assume the active role once it has recovered?

My second question is related to Spanning Tree and NIC Teaming. I have 2 HP servers with the VMWare ESX Hyper Visor installed and configured to do NIC Teaming. My question is, will Spanning Tree actually prevent NIC Teaming from functioning properly? I think it will at the very least eliminate the possibilty to load balance using the NIC Teaming, but I could have this all wrong.

So assuming this current design, does anyone see any issues?

My only complaint right now is the failover times for all events. rSTP seems to still take far too long in most events, up to 2 minutes even. ASA failover is about 15s and so I would like any failover event to occur both automatically and maybe this is wishful thinking, but a little faster, say <5s.

That's it for now, and as always, any advice is greatly welcomed.

Thanks!

Hi,

You can configure ASA in preempt so that active can regain its role after coming up and for teaming concept in server side it is mainly used for load balacing and redundacy purpose at server level,it will afftect the stp in switches when your both the NIC becomes active and starts flapping at switch side which will result in high CPU at switch as stp instance start convergence with host getting flapped at frequent interval.

Hope to Help !!

Ganesh.H

If helpful do rate the post

Actions

Login or Register to take actions

This Discussion

Posted April 20, 2010 at 8:40 AM
Stats:
Replies:5 Avg. Rating:
Views:6309 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard