Redundand Connections

ray_stone · ‎08-08-2012

Hello Experts:

My company has contracted Verizon Business to install an MPLS network for our eight largest offices in the US and Canada. In our primary data center they will give us a Cisco 3825 router with one outside interface and two inside interfaces. This is perfect because we have two ASA 5510 firewalls which we want to use to achieve as much redundancy as possible. Behind the two firewalls are two Cisco 3750s, and each server has one connection to each switch.

Also, we want to keep our existing Internet lines and VPN tunnels as backups in case the Verizon MPLS network goes down.

Physically, the connections seem to make sense:

Cisco 3825
- Outside interface to Verizon MPLS
- Inside interface to Firewall_1
- Inside interface to Firewall_2

ASA 5510 (Firewall_1)
- Interface to Cisco 3825 (Verizon MPLS)
- Interface to Internet line
- Interface to Switch_1
- Interface to Switch_2
- Interface to Firewall_2 (for heartbeat / failover)

ASA 5510 (Firewall_2)
- Interface to Cisco 3825 (Verizon MPLS)
- Interface to Internet line
- Interface to Switch_1
- Interface to Switch_2
- Interface to Firewall_1 (for heartbeat / failover)

Logically, I do not know what IP scheme and routing to use for everything. We want as much redundancy as possible. If the MPLS network or router goes down, the Internet VPN should kick in automatically. If one firewall goes down, the other firewall should kick in automatically. If one switch goes down, the servers should be able to communicate over the other switch.

Can somebody please suggest what is the possible way to achieve this?

Thanks in advance for any knowledge, insight, and input!

stevenkrose · ‎08-13-2012

Hi,

Since the ASA's are in active/standby they will have no issue when one ASA fails.

Refer to this doc for the ASA redundant ISP setup: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Also, I would stack the 3750's if possible

Hope this helps

Alessio Andreoli · ‎08-13-2012

Hi Ray,

i would not be so worried if i were you. From your analysis of the infrastructure the only single point of failure is out of your company (Cisco 3825) so just keep enhanced object tracking on the Cisco 3825 should you need to switch over the Internet VPN connection.

Remember about the "domino effect"... (do not use more than 75% of your active uplink!!!)

Why so old routers? It is strange that a so big company is providing EoL routers.... By the way i love the old 3800 series

Can't you as for the 3925 or 3925E ?

Take Care

Alessio

hobbe · ‎08-13-2012

Hi

Are the 3800 using a switch blade ?

If not then how are you thinking of doing the heartbeatst for the outside interfaces of the 5510s ?

I would not worry about the 3800 beeing the single point of faliure, but I would make sure that it does have 2 powersupplys, and if it is a model that only have 1 powersupply then I would set it up with a dual power source so that if you loose one powersource the other will keep it alive.

I would state that the Link is more likely to fail somewhere out of your office than in it.

You can of course use the 3750 switches to deal with the asa5510 - router heartbeats issue, just setup 3 ports on each of the 3750s in its own vlan and setup a link between them.

However that said, if you have no further use than just switching the 5510 inside and outside interfaces AND you do not yet own the 3750s then you can buy alot cheaper switches.

We do not know what type of uptime you require and well is it ok that the links are down for a couple of seconds (cheeper) and then fixes itself or do you need redundancy to instantly kick in (very expensive and forget the 3750 switches they do not support what you need to do).

A tip would be to read up on a feature called flexlink, that might help you with some things if you want.

Good luck

Hope This Helps