Internet Edge Design Redundancy

trippi · ‎11-03-2009

We have dual ISPs. Each connected to its own router. Each router is connected to each switch, the router has a BVI interface for the inside. Switch 1 is connected to one ASA, Switch 2 is connected to the other ASA. Is there any reason to connect the two switches together or to connect each switch to each ASA and configure a 'redundant interface' on the ASA?

CriscoSystems · ‎11-03-2009

Do you have hosts in the same VLAN connecting to different switches?

I presume you don't, since the switches aren't currently connected, but you may just be using L3 for reachability (and being unconcerned with ARP queries; multicast traffic and such).

If you in fact do not have a single VLAN segmented across the two switches then I do not see a reason to connect them now, unless you want yet a third failover link (since each switch already connects directly to both routers).

With a link between the switches you'll have to set up spanning tree (not a big deal) and give proper consideration to the now added potential for routing loops.

trippi · ‎11-03-2009

switches are only configured with 1 vlan, they are layer 2 only.

I'm routing from the firewalls to the HSRP address on the routers.

Laurent Aubert · ‎11-03-2009

Hi,

I would prefer this design:

R1 connected to Switch 1 only

R2 connected to Switch 2 only

Switch 1 connected to Switch 2

ASA1 connected to Switch 1

ASA2 connected to Switch 2

ASA1 connected to ASA2 but for failover purpose only.

It will avoid you the BVI interface and save you one interface on each router.

Also with your design if R1 is HSRP master and looses its link with Switch 1, the traffic will do ASA1-Switch1-R2-Switch2-R1.

HTH

Laurent.