High Availability deployment

Answered Question
Jul 13th, 2010
User Badges:

Hi!


I need to deploy the following:


  • 2 Cisco 2921 routers in Active/Active mode
  • 2 ASA 5520 in Active/Standby mode
  • Cisco 2960G switches as required


In Solution 1, I have used 3 switches.

In Solution 2, I have included redundancy at the different switch levels.

Please see attached.


My queries are as follows:


  1. Which solution is better?
  2. At the router level, I understand that if I use HSRP, there needs to be an Active router and a Standby router. If both routers need to be active, what kind of configuration needs to be done?
  3. In Soution 2, are the equipments correctly cabled? Are there too many links? Is there a need for a direct router to router or switch to switch connection?
  4. In Solution 2, each ASA 5520 will be using 5 network interfaces. The ASAs need to be equipped with the IPS module, thus the expansion slot will be used. As the ASA 5520 comes with 4 network cards, is there a way to use less interfaces when using this type of deployment?
  5. What are RAD modems (Ethernet splitter) and how can 2 RAD modems be integrated to the router cluster?
  6. The connectivity to the Internet will be through SHDSL. So each router will each be needing an SHDSL interface. Will the ISP line first go the RAD modem and then to the router?




Thanks,


Alvin








          Correct Answer by NoChanceIV about 6 years 8 months ago

          I believe I can assist you with #2 as I have this exact setup.


          If you want to use HSRP, you will need to configure multiple groups on each router with each router having both an Active and a seperate Standy Group


          Router 1

          group 1 - Active

          group 2 - Standby


          Router 2

          group 1 - Standby

          group 2 - Active


          The problem I ran into is I couldn't find a way to make two default routes load balance on the ASA.


          Another option is Global Load Balancing Protocol GLBP. Under this scenario, you can have both routers active and have them load balance using a single default route from the ASA's.


          http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html


          Also, your second scenario will not work. You are using too many ports. The Network Ports in the IPS are for management of the IPS only. You can not use them for networking. Also, the ASA has a fifth port (Management 0/0) that is for management use only. The other problem I ran into is this interface is 100Mb. That leaves you with Gig 0/0 - 0/3 for network usage. In my case, I needed the replication traffic between the ASA's for the Standby router to be in sync with the Active router to using a Gigabit port.


          I know this doesn't answer all of your questions, but I hope it helps.


          Chance

          • 1
          • 2
          • 3
          • 4
          • 5
          Overall Rating: 5 (1 ratings)
          Loading.
          Correct Answer
          NoChanceIV Tue, 07/13/2010 - 14:00
          User Badges:

          I believe I can assist you with #2 as I have this exact setup.


          If you want to use HSRP, you will need to configure multiple groups on each router with each router having both an Active and a seperate Standy Group


          Router 1

          group 1 - Active

          group 2 - Standby


          Router 2

          group 1 - Standby

          group 2 - Active


          The problem I ran into is I couldn't find a way to make two default routes load balance on the ASA.


          Another option is Global Load Balancing Protocol GLBP. Under this scenario, you can have both routers active and have them load balance using a single default route from the ASA's.


          http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html


          Also, your second scenario will not work. You are using too many ports. The Network Ports in the IPS are for management of the IPS only. You can not use them for networking. Also, the ASA has a fifth port (Management 0/0) that is for management use only. The other problem I ran into is this interface is 100Mb. That leaves you with Gig 0/0 - 0/3 for network usage. In my case, I needed the replication traffic between the ASA's for the Standby router to be in sync with the Active router to using a Gigabit port.


          I know this doesn't answer all of your questions, but I hope it helps.


          Chance

          netbeginner Mon, 10/19/2015 - 02:06
          User Badges:

          Hi Alvin,

           

          We are also having same setup (your Solution 2). and facing problem with Traffic failover at upper level... Could you pls suggest what exact configs you have comepleted to make your cross connection functional during traffic shifting.

          Amit Singh Tue, 07/13/2010 - 14:05
          User Badges:
          • Cisco Employee,

          Hi Alvin,



          Please see the replies below :


          1. Which solution is better?

          Amit Singh : Personally, the option 2 is better. They both are same but option 2 provides an extra HA by introducing another switch. If you have budget go for option2. These switches will ideally be used a pure L2 connectivity and the ASA's will point to the routers as the next hop gateways.


             2.    At the router level, I  understand that if I use HSRP, there needs to be an Active router and a  Standby router. If both routers need to be active, what kind of  configuration needs to be done?


          Amit Singh : Use GLBP to have both the routers work as active/active.


          http://cisco.biz/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6600/product_data_sheet0900aecd803a546c.html



             3.     In Soution 2, are the equipments  correctly cabled? Are there too many links? Is there a need for a  direct router to router or switch to switch connection?


          Amit Singh : No you dont need a direct to direct connection between the routers or switches. Should be fine.


              4.     In  Solution 2, each ASA 5520 will be using 5 network interfaces. The ASAs  need to be equipped with the IPS module, thus the expansion slot will be  used. As the ASA 5520 comes with 4 network cards, is there a way to use  less interfaces when using this type of deployment?


          Amit Singh : Use trunking on the ASA lan interface. I would rather use ASA's as active-active and use only one link from each switch to the ASA LAN interface with trunking. There is no need to cross-connect the ASA's on the LAN side.



              5.     What are  RAD modems (Ethernet splitter) and how can 2 RAD modems be integrated to  the router cluster?


          Amit Singh : RAD modems are a layer-1 device which encodes the signals from one media and decodes them to a different media or interface. RAD modem will work as individual entities with each router and cannot be clustered.


              6.     The connectivity to the Internet will be  through SHDSL. So each router will each be needing an SHDSL interface.  Will the ISP line first go the RAD modem and then to the router?

          Amit Singh : If you have a SHDSL interface on the router, you probably dont need the RAD modems. You can terminate the line dierctly on the SHDSL interface. In case you are not using the SHDSL interface on the router then you need RAD modem and the line will connect to RAD modem which will inturn connect the routers on an ethernet interface.


          HTH, Please rate if it does.


          Cheers,

          -amit singh

          Ganesh Hariharan Wed, 07/14/2010 - 00:27
          User Badges:
          • Purple, 4500 points or more
          • Community Spotlight Award,

            Member's Choice, February 2016

          Hi!


          I need to deploy the following:


          • 2 Cisco 2921 routers in Active/Active mode
          • 2 ASA 5520 in Active/Standby mode
          • Cisco 2960G switches as required


          In Solution 1, I have used 3 switches.

          In Solution 2, I have included redundancy at the different switch levels.

          Please see attached.


          My queries are as follows:


          1. Which solution is better?
          2. At the router level, I understand that if I use HSRP, there needs to be an Active router and a Standby router. If both routers need to be active, what kind of configuration needs to be done?
          3. In Soution 2, are the equipments correctly cabled? Are there too many links? Is there a need for a direct router to router or switch to switch connection?
          4. In Solution 2, each ASA 5520 will be using 5 network interfaces. The ASAs need to be equipped with the IPS module, thus the expansion slot will be used. As the ASA 5520 comes with 4 network cards, is there a way to use less interfaces when using this type of deployment?
          5. What are RAD modems (Ethernet splitter) and how can 2 RAD modems be integrated to the router cluster?
          6. The connectivity to the Internet will be through SHDSL. So each router will each be needing an SHDSL interface. Will the ISP line first go the RAD modem and then to the router?




          Thanks,


          Alvin


          Alvin,


          Solution 2 is having more high availibilty in comparism to solution 1,If you see in solution 1 if 2960 switch in router zone fails whole network outage will happen in tem of services and same is applicable in inter zone switches,so if you want full reddundacy at each level go with dual deployment of switches at each level.I would suggest rather criss-cross connectivity between firewall and zone switches connect both the switches with etherchannel and remove the cross conectivity.In criss-cross only on link will be available at time as STP will block the redundant paths.


          Use router in active/active mode to fully utilization of isp links and configure GLBP for active/active fashion with ASA in cluster mode for local lan routing and policy feature of rules.


          Hope to Help !!


          Ganesh.H


          Remember to rate the helpful post

          Actions

          This Discussion