I have two core switches 6500 and i have configured GLBP on vlan interfaces and HSRP on interface gig 1/2 on both switches.
1. how the traffic will flow form lan to firewall and firewall to LAN.
2. will glbp work proparly
3. do i need to run hsrp
please refer the attached Network Diagram
Please help me
Just to clarify, the gi1/2 interfaces on the 6500 switches and the ASA inside interfaces are in the same subnet ?
Also, not familiar with HP switches - what does active/standby mean in relation to those ie. i'm assuming both will still pass traffic all the time.
If so yes you can run HSRP on the 6500 switches and point the ASAs to the HSRP VIP.
However you will have a real problem if either of those uplinks from the 6500 switches to the HP switches fails so it's not a redundant design.
Looking at your diagram we'll call the 6500 on the left sw1 and the ASA on the left asa and the 6500 on the right sw1 and the ASA on the right asa2.
GLBP will work fine but the problem is GLBP could send the traffic from the access-layer to either 6500 switch.
So lets says a packet is sent from the access-layer to sw2. sw2's uplink has failed so the only way it can get to the asa is via sw1. But there is no link between sw1 and sw2 other than via the access-layer.
I'm assuming you are not exchanging routes between the 2 6500 switches via the access-layer ? - if so then let me know as a lot of what i am about to write would need modifying.
What you need is either -
1) a L2 trunk between your 6500 switches although i can see from your diagram you have no blocking on the access-layer uplinks as STP is not blocking so this is presumably why you don't want a L2 trunk ?
2) a L3 link between your 6500 switches so that if the gi1/2 interface goes down the 6500 can route the traffic to the other 6500. This would probably be a better fit for your design.
There is still a problem though. If the link between the 6500 and the HP switch fails then it works fine. If the HP switch fails it works fine. But if the interconnect between the HP switches fails then you have a problem. If sw2 is trying to send traffic to asa1 how does it now send get there, because there is no path. As far as sw2 is concerned it's gi1/2 interface is still useable because it is up/up.
So you could either use IP SLA on the 6500 switch and ping the virtual ip of the ASAs. If the ping failed then it could use the other 6500. Or you could use one of the L2 paths via your access layer switches which are connected to the HP switches although this is not recommended.
As you can see there are a few issues with this design in terms of redundancy. I understand why you have not used a L2 trunk between the 6500 switches so that you can use the full bandwidth of the uplinks from the access-layer switches but you still need an interconnect between your 6500 switches be that L2 or L3.
Without knowing how your are routing ie. statics/dynamic routing protoco etc. it's difficult to be more precise but you certainly need to have a rethink on the failure scenarios ie. sit down with the design, take out a switch/uplink/firewall etc. and then trace the path the traffic will take. Only by doing that will you see any problems with the design.
As i said if you are exchanging routes via the access-layer switches then an alternate path is indeed available without an interconnect so need to understand that too.
Thinking about this a little more the easiest solution if the ASA inside interfaces and the gi1/2 interfaces on the 6500s share the same subnet is to -
1) create a dedicated vlan on the 6500 switches for the communication between the 6500 switches and the ASAs eg vlan 10
2) cable a L2 link between the 2 6500 switches and make the ports on both 6500 switches access ports in the vlan 10. Do not make it a trunk port as this will then mean that you access-layer switches will have to block one of their uplinks. If you make it an access port then the access-layer switches will continue to use both uplinks for forwarding.
3) on each switch create a L3 vlan interface for vlan 10 and move the ip addresses on gi1/2 on each switch to the L3 vlan interface.
4) make gi1/2 on each switch a switch port in vlan 10
5) configure HSRP under the L3 vlan 10 interfaces on the 6500 switches.
Edit - this setup actually creates a square between the 6500s and HP switches which i'm not keen on. Please see next post as to question of connecting ASAs directly to 6500 switches.
A quick question. Have you run out of ports on the 6500 switches ? If not then it would make a lot more sense to simply connect the ASAs directly to the 4506 switches with the L2 access link i was talking about in my previous post.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...