I have a question concerning a high availability design.
We are running OSPF internally, all in the same area.
My questions are concerning the etherent connections in violet.
In our network, internally, all router ethernet interfaces are in the same vlan and subnet. At the moment, we only have etherent A in place.
Would the way to make this redundant connection on the MPLS router involve just have interface A in the existing router subnet and create a new router subnet for interface B, or possibly subnet a two host network out of the existing router subnet?
What I am getting at, is that if we are using dynamic routing (OSPF) and the router will not allow more than one interface in a subnet, the second connection will have to be in a different subnet, is this correct?
And our setup requires that we prioritize the one connection (A) over the other(B), would this be done with increasing the cost of one connection over the other, or a more common or sophisticated way of doing this?
Also, since the ASA appliances will be one active, the other standby, we need to prioritize Ethernet A over B there as well.
We have a block of 32 addresses, would we subnet the two etherent interfaces there, maybe two host subnets?
We still need to route the rest of the address block to the outside interface of the ASA appliances?
Any reply would be appreciated
Anything you did with only one router in place, I would consider to still have a single point of failure in the Cisco 2821.
you could bridge the two ports together and connect the ethernet A and B to each of your switches and have a BVI interface. That will sort of achieve what your talking about. But the 2821 will still be a single point of failure.
The best way IMO around that would be to install another router attached to the MPLS network and connect it switch 1. You could manipulate OSPF costs after that. I don't think I'd be overly concerned with that however.
Hope that Helps
Tony, thanks for the reply.
However, i don't think we have the money right now for a second 7206, or the secondary connections into the MLPS cloud, so we are more concerned with an internal network failure.
We have everything but a second DMZ switch for what is shown in the drawing.
Fair enough, in that case I'd go with putting the two ethernets into the same bridge and routing through a BVI to the subnet.
One of the ports will go into block and the other will be forwarding, and it will take some time to change from forward to block, but it will work reasonably well for most apps.
It won't be as good as having another router, but you won't be able to argue that one until you have a failure in the 7206.
I would explain to your supervisors that as the network has a single point of failure that an outage on that device will cause outages for all your remote users. That way they know and it doesn't become a sore point in the future should the 7206. Put it in writing.
Yep still holds true, though I must admit that I've made some assumptions. I assume that the routers and the firewalls are in the same subnet, and that the switch is a simple layer 2 device.
One of your other posts had a reply saying that if you run a routing protocol between switch and the router and firewall then you can dual connect the router. Thats true as well. In the end it depends on the requiremens. I would still be hessitant to call the network Highly available simply because of these single points of failures.
If you can provide a drawing with some of the layer three detail. that would help a bit.
Not sure what you mean about a drawing with layer three detail, but:
The DMZ switch is a simple layer 2 device, but the 6509s are layer three devices.
All end devices linked to the 6509s are in their own VLAN and subnet, down to the router interfaces are in a seperate subnet and vlan.
Workstations, servers, switches, even the firewall interfaces are in their own seperate vlan.
So all of the subnets have an SVI and a route, there is no summarization going on.
We have OSPF internally and the 6509s, firewall inside interfaces and the 7206 are all neighbors.
Adding the second interface to the 7206 and linking to the other 6509, even though it is not fully redundant, if there are no problems (loops), it will allow routing to the remote branches in the event of either 6509 failure.
Thanks, thats the drawing. It will work ok. Sorry about the confusion I've caused. It's the danger of assumptions.
Won't really be Highly available, but I'm just repeating myself, Its the best you can do without buying the additional router and connection to the MPLS cloud.