Aruba & ProVision-based

2x 2910al connected to 1 juniper firewall/router

 
maartenverbaan
Occasional Visitor

2x 2910al connected to 1 juniper firewall/router

Hi all,

 

I want to make our network redundant with HP Procurve switches. I've attached the situation I'd like. 

 

So if switch one fails, switch 2 will take over all the traffic and visa versa. I think this can be easily done by linking the two together and enabling STP.

 

But the 2 uplinks, one for each switch to the gateway/firewall/router. How do I configure the switches that they will sense the fail of one of the two links and send all the traffic trough the other switch.

 

I hope it's clear. 

 

Thanks in advance for any awnsers.

 

(by the way, I understand that the Juniper will be the single point of failure, but that one is not managed by us, and quick to replace by that company)

4 REPLIES 4
paulgear
Esteemed Contributor

Re: 2x 2910al connected to 1 juniper firewall/router

Hi Maarten,

 

Before we can answer that, the really important question is: in what L2 segments do the servers and the firewall reside?

 

If the two connections to the firewall and the servers are all in the same segment, then there's probably not anything to do.  (STP should handle it.)  If your 2910 switches act as the default gateway and route to the firewall, then you'll probably need to use dynamic routing.

Regards,
Paul
Matcol
Frequent Advisor

Re: 2x 2910al connected to 1 juniper firewall/router

As Paul said, if your 2910s aren't routing, you don't have to do anything.

 

If the 2910s are routing, as they don't do VRRP, the question is, how do the servers use them? Do the servers themselves have routes, one pointing at each 2910?

 

Having thought about this, the only sensible way this could work for you is if you have your switches doing layer 2 only, and your servers' default gateway is a virtual (VLAN) interface on the Juniper, with both Juniper ports in that VLAN.

maartenverbaan
Occasional Visitor

Re: 2x 2910al connected to 1 juniper firewall/router

Thanks for your replies!

 

The gateway is the firewall. So I use no routing on the HP switches at all.

 

Also I've configured it all verry basic, so I don't think I've created segments.

 

Should I still create a VLAN on the switches? Or do I only let them be created on the Juniper firewall?

 

 

 

One more question. Can I acchieve the same with an 2510? That would save me a lot of money.

paulgear
Esteemed Contributor

Re: 2x 2910al connected to 1 juniper firewall/router

Hi maartenverbaan,

It sounds like that should work fine, as long as you set up the Juniper firewall with the two interfaces connecting to the switches in a bridge group (i'm not sure of the exact terminology Juniper uses for this).

If it is as basic as you say, then there should be no need for VLANs, and a 2510 switch as the 2nd switch should work just fine. (Not that i recommend this - i've never regretted getting better switches than i thought i needed, but often regretted getting cheaper switches than i thought i needed. ;-)

Make sure you set the spanning tree priority of both switches correctly (usually 0 for the first one, and 1 (4096) for the second). Note also that your servers will have to handle the multiple uplinks at the OS level, e.g. using the balance-tlb Linux bonding driver, or using source virtual port number if you're using VMware ESXi. The scenario you've outlined does not allow you to use LACP for your server connections.
Regards,
Paul