Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Redundant Router Internal Connections

Hi,

I have a setup where we have one internet router. Internally, the router is connected to two Firewalls operating in an active-passive scinareo.

Currently we are using a WAN switch with VLANs to establish a connection to each firewall.

We need to eliminate this WAN switch as it is a single point of faliure. Is it possible to create a l3 etherchannel from one side (Router side)?

*For the passive firewall all interfaces will be down and will only comp up when the first firewall is down.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Redundant Router Internal Connections

Rami

Sincere apologies, i understand what you mean. I was being a bit stupid (a not uncommon occurence ) and probably managed to confuse you as well. My fault entirely.

For some reason i was thinking of two routers and of course the problem with one router is that two ethernet interfaces cannot be in the same IP subnet. So you could either -

1) use a bridge group on the router to bridge the two interfaces together and assign the IP to the BVI. One of the links would be blocked by STP.

or

2) use stackable switches as you say so you can spread the etherchannel across the stack members

I haven't used the BVI solution in a production network but it should work if you decide you want to go that way.

The advantage of the switches is that both uplinks to the router would be active and forwarding so you get more throughput but this may or may not be a concern for you.

Jon

6 REPLIES
Hall of Fame Super Blue

Redundant Router Internal Connections

Rami

I don't think the ASA willl support an etherchannel spread across both firewalls (if that is what you are asking).

The solution most commonly used is to use two switches interconnected by either a trunk link or an access port in the vlan that is used for conecting the router to the firewalls.

Jon

New Member

Redundant Router Internal Connections

Can I make a L3 etherchannel only from the router side? Because from the firewall side, only the interface on the active firewall will be up. So traffic will only go through this interface.

Hall of Fame Super Blue

Re: Redundant Router Internal Connections

Rami

I'm not sure i understand. A L3 etherchannel on the router side but connecting to what on the firewall side ie. each firewall has one outside interface so the active firewall will only have one interface so what are you going to etherchannel to from the router ?

Apologies if i am misunderstanding but it sounds like you are trying to run an etherchannel from the router to both ASAs and this wouldn't work. It might work if the firewalls were clustered but i couldn't say as i have no experience with that.

I am not sure why you cannot simply add another switch for redundancy ie. you connect easch router interface to a different switch. The active ASA connects to one switch and the standby to the other switch. The switches are interconnected as i described in my previous post.

Then the failure of one switch still means you have connectivity from the ASA firewalls to the router although obviously losing a switch would mean a failover of the firewalls.

Jon

New Member

Re: Redundant Router Internal Connections

Do I have to have stack switches, other wise how will I make the connection from the swich side.

Hall of Fame Super Blue

Re: Redundant Router Internal Connections

Rami

Sincere apologies, i understand what you mean. I was being a bit stupid (a not uncommon occurence ) and probably managed to confuse you as well. My fault entirely.

For some reason i was thinking of two routers and of course the problem with one router is that two ethernet interfaces cannot be in the same IP subnet. So you could either -

1) use a bridge group on the router to bridge the two interfaces together and assign the IP to the BVI. One of the links would be blocked by STP.

or

2) use stackable switches as you say so you can spread the etherchannel across the stack members

I haven't used the BVI solution in a production network but it should work if you decide you want to go that way.

The advantage of the switches is that both uplinks to the router would be active and forwarding so you get more throughput but this may or may not be a concern for you.

Jon

New Member

Re: Redundant Router Internal Connections

Thanks Jon,

It is clear now

183
Views
0
Helpful
6
Replies
CreatePlease to create content