HSRP and Failover in a Setup

Ganesan Palaniappan · ‎08-25-2012

Hi All,

I need a create a setup with complete HA availability from Core Switch , Firewall and Router.

I had 2-Cisco 3560 Switch , 2 - Cisco ASA 5520 Fw and 2 - Cisco 2921 router.

---------------------------------------------------------------

Let me explain how the devices are connected. Created HSRP between the Users VLAN in the Core Switch for the Gateway HA.

Also made a Priority set on one of the L3 Switch and make that a Root Bridge.

Configured 2 Firewall with Active/Standy mode and also 2 Routers LAN Interface with HSRP mode for HA.

All the Firewall Outside and Router LAN Interfaces are connected in a L2 VLAN. Also created a Separate L2 VLAN for the Failover link and connected.

Please refer the attached diagram for more clarity.

-------------------------------------------------------------------------

Now the activity is to create a Site to tunnel in the Firewall to connect other locations.

---------------------------------------------------------------

Problem : Sometimes the Secondary Firewall become as Active Firewall and we are unable to ping anything outside.. but the same ip's are reachable from Standby Firewall. I am suscepting that all the ports are in Secondary switches are in blocked port .. it may be the cause.

I made the Secondary Firewall connectivity to the Primary Switch and start to do the configuration change, but some what in between the default gateway is not getting reachable and tunnel is going down.

*** Some ip's i am able to reach from the Switch-A but the same is not reach from Switch - B and also from the Firewalls. No idea why it is pinginig.

*** Is it a proper setup to connect the devices or we need to do any changes.

--------------------------------------------------

Kindly suggest me the right setup and Configuration .... which will provide a HA in all layers.

Julio Carvajal · ‎08-25-2012

Hello Ganesan,

Nice Redundancy scenario you have in there

Now the failover link should be a dedicated and isolated VLAN, you should also enable on that particular lan failover and stateful failover interface the spanning tree port-fast condition.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nkarthikeyan · ‎08-25-2012

Hi Ganesan,

I am proposing a design like this. You can have the STP in pvst mode and have a different priority set for the core switch to make it core a as root bridge. There is nothing wrong with your design you have made you core switch which will be physically down to your firewall... but in real it comes on the top of your firewall as well... But spanning tree conf should be done properly to achieve this... I have proposed my design which is pretty simple but easy for troubleshoot....

You can have your firewalls connected to core switch on the down and can directly connected to router on outside... always core a -->py fw--rtra will be the primary path... if anything goes wrong then secondary line will come in to picture....

make sure that your hsrp will have high priority to ur core a vlan conf for the access switches.....

Please do rate for the helpful posts.

By

Karthik

Ganesan Palaniappan · ‎08-25-2012

Hi, I got it. But i have a problem here. Suppose if the Primary RTR Fails, Secondary comes into picture. In that case Primary Firewall which is active will become Standby and the Secondary Firewall will be Active.

But Still due to the STP Priority Configuration, still all the Switch - A is up ..ie root bridge all the ports in the Switch B will be in blocking state. So it will not pass any traffic.

So, Inside network will not able to communicate the Outside .. because of STP ... I want to finf some other setup especially STP...

Thanks for ur reply..Awaiting more from u

Regards,

Gan

nkarthikeyan · ‎08-25-2012

Hi Ganesan,

I guess you are gonna configure default route in your core to your firewall primary ip address. If that is the case if router A fails then firewall secondary will become active which will take the primary IP. Core A to reach the primary IP which is firewall secndary which will get communicated via core B and go thru.

core A whould have the

spanning-tree mode pvst

spanning-tree extend system-id

spanning-tree vlan priority 4096

spanning-tree vlan forward-time 6

spanning-tree vlan max-age 8

Core B should have the

spanning-tree mode pvst

spanning-tree extend system-id

spanning-tree vlan priority 8192

spanning-tree vlan forward-time 6

spanning-tree vlan max-age 8

!

default route should be your firewall primary IP.... inside interface ip.

If this configuration you have in your infra.... Then you will not have any problems. We have the similar scenario in our infrastructure which is working fine with backup mechanism as well.

Please do rate for the helpful posts.

By

Karthik

Ganesan Palaniappan · ‎08-26-2012

Hi Karthik,

What about the L3 VLAN and L2 VLAN Spanning tree status in Core B Switch. it will be in forwarding/blocking state.

I faced the below issue and still i am unable to find it out. " All the ports ....ie... Secondary Firewall Outside interface and Secondary RTR Inside interfaces are connected to the Secondary Switch - B".

So unless untill Switch A phsically not down, traffic will not pass through Switch B because we made Switch A as Primary and root bridge.--- > This will happen if there is a failure in the Primary RTR and traffic from the LAN cannot pass on.

Correct me if i am wrong. Sorry .. i am totally confused .. As u have a working setup i request you to share some important things i need to do in the L3 Switch for HSRP and especially STP.

I have 3 VLAN's -- User VLAN , RTR-FW Comm VLAN and HA VLAN.

Thanks for ur response .. Awaiting for your reply !!!

Regards,

Gan