I am planning to design the Datacenter Before that i want to test the config.I am here with attaching the propsed1 ans proposed 2 diagram and test config also .
I have some queries abt both the proposals
1) Which interface i need to track in HSRP config as i am going to create 20 vlans. For all the VLANs i need to track gi0/1 where my pri fw inside connected.
2) please check routing part and config also
1) config and routing needs to be check.
So core switches will be the default gateways for your 20 VLANs i believe.
Proposal 1 is not going to work, as proposal 2 looks fine.
1- In this case, you need to configure an instance of HSRP for each VLAN interface defined on your cores. e.g: suppose you have VLANs from 1 - 20.
For VLAN 5 on core 2:
ip address 192.168.5.3 255.255.255.0
standby 5 ip 192.168.5.1
standby 5 timers 1 3
standby 5 preempt
standby 5 track GigabitEthernet0/1 10 (meaning to decrease the priority by 10 once Giga 0/1 goes down)
(So tracking needs to be defined for each standby group defined on all VLANs).
2- Since the design is not valid, i will answer your concerns in proposal 2.
1- For interface giga 0/1 on the firewalls, use subnet 255.255.255.224 (since the mask needs to be the same for this subnet on the firewalls and cores)
2- For the routing on your firewall, a static route need to be added for each VLAN created pointing to the HSRP virtual IP address 192.168.2.1. e.g: for VLAN 5, configure this route on the firewall:
route inside 192.168.5.0 255.255.255.0 192.168.2.1.
(This has to be done for your 20 VLANs).
3- For the routing on the cores, the default route: its not valid and should be:
ip route 0.0.0.0 0.0.0.0 192.168.2.2
4- For the IP addresses on the firewall, and since they failover is configured between them. Apply the commands on the primary firewall and the secondary will be dynamically synchronized.
To configure the IP addresses. use the command below:
Ip address 192.168.2.2 255.255.255.224 standby 192.168.2.3.
Please dont hesitate to ask me any further questions and dont forget to rate if thats being useful.
I agree with Murawashdeh. His suggestion for Proposal 2 seems to be the most vaild. However, I wanted to ask, what kind of firewall will be using? Is it the Cisco ASA? If you aniticapte running the failover option, that this firewall supports, have you also considered running a dynamic routing protocol (OSPF??) on the trusted side of your ASA? This will help to alleviate the number of manual static routes that you will have to enter on your firewall. Just a thought...
Have a great day!
thanks for your valuable Info
I want to tell you one thing that this present setup which i am going to implement right now..
In near future I want to run ospf between my offices..I have to keep this in mind for the same..
Pls let me know if i want to run ospf later..want changes i want to at that time with same design..
Thanks in advance.
What technology are you planning to use in order to connect your offices (leased line, mpls, VPN, etc..)?
And what are the devices that are going to run the OSPF protocol?
I do not recommend running OSPF on ASAs and PIX firewalls as its memory consuming and can overwhelm the resources of these devices.
If required i will put router and will run or otherwise i will terminate VPLS connections on my core switches directly..
Any how this for interoffice so,I hope not neccessary to terminate VPLS on firewall...
If traffic between your offices is trusted, then you can directly terminate it on cores, thats correct.
Else, You will need a router (In order to run the OSPF) connecting to the Outside interface of the ASA (in order to filter all traffic via the ASA)
Is mentioned deisgned is fine or required any cheags at that time...
I dont want to do lot of changes at that time..I have to deisgn the netowrk keeping that in mind..pls suggest me..
I believe that your current design is robust and optimal and you should implement it.
As for next phases in the future, if you want to implement OSPF or other routing protocols doesn't adverse with your current design.
Cheers and if you need anything, then plz let me know.
planning to connect blade server with nortel switch to core switches as etherchannel..
What configuration needs to be done. is it normal etherchannel with LACP.??
I am going to enable RSTP in my core sw..will nortel sw supports ?? if not what i have to do??