- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- VRRP for Redundancy on 5400
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2006 12:31 PM
тАО07-15-2006 12:31 PM
I have a 5406 core switch to which four 3500 access switches are connected. Each 3500 is its own VLAN plus has a management VLAN. Each of these 3500 is then uplinked to 5406 via 4 aggregated (LACP trunks) for increased bandwidth and fault tolerance on the links. 5406 is thus a member of all the VLANs on the network and has an ip address assigned for each VLAN which acts as gateway for all machines on respective VLANs. So this core switch acts as router for all inter-vlan communications. This core router also has a WAN VLAN to which are connected two Cisco PIX firewalls (primary and secondary). Then there is a DMZ VLAN created on the core switch to which is connected two public domain servers (mail-relay and web) and PIX dmz interface of both firewalls is also connected. Everything is working great.
Now there is a need to add a few more closet switches and also to add another backup core switch (5406 again).
I am planning to create the same configuration as main core switch, then run VRRP on both the core switches, on each VLAN. I will connect the two trunk ports of each closet 3500 switch to each of 5406, thus splitting now all four ports on single 5406.
Here is my issue which I need help with from experienced colleagues on this forum.
At this time, I have 4Gbps trunk bandwidth to each 3500, going over to 5406. Now with VRRP, with only one core router being active, I will have only 2Gbps available while other two trunks will be sitting idle (I can not load balance across VLANs as each switch is its own single VLAN).
Further, I also have a server VLAN on the core switch to which are connected four inside HP Proliant servers with two teamed SLB NICs. Now I will have to split these two links to each of the two Core switch thus not beneifiting from the fault tolerance (in case the link to the main core switch is snapped, while that core being active) and from the aggregated 2Gbps bandwidth because of teaming.
Is it possible to run something like dynamic routing with RIP so that both core switches are carrying traffic and thus all uplinks from 3500s and servers are also active all the time until one of the core router is down?
Thanks,
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2006 01:45 PM
тАО07-15-2006 01:45 PM
Re: VRRP for Redundancy on 5400
The second option that I can imagine would be using OSPF Equal-Cost Multipath. For this though you would need the Premium Edge License on all switches and would need to bring the routing back to the 3500's as well. If your PIX firewalls are going directly to the internet then you'd probably get limited benefit from this as ECMP "calculates equal-cost next-hop routes for each of the subnets and then distributes per-subnet route assignments across these three routes." i.e, the internet would only be seen as one subnet so load balancing would not really be achieved. Check the Multicast and Routing guide for more info on this feature.
The third option would be to simply buy more hardware so you could go back to having 4 ports going to each 5406. Or look at the 10GbE options instead. And for the ProLiant, add more NICs and purchase the Intelligent Networking Pack license.
Matt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2006 02:45 PM
тАО07-15-2006 02:45 PM
Re: VRRP for Redundancy on 5400
But how I am going to make use of two PIX firewalls? If I connect one to main core and other to backup core, with primary PIX connected to main core, the failure of main core will not make secondary PIX as active and hence there will be disconnect with Internet. Any suggestion as to how to switch firewall authomatically when main core fails and backup core becomes active router. I am not sure if this is good idea or even possible to configure few ports (WAN and DMZ segments) on each switch as pure hub and then simply connect these WAN and DMZ hubbed segments on two core switches via ethernet cables.
Finally do I have to run STP on the two VRRP switches on the uplinks to edge switches, as trunks from each edge switch to two core switches might create a loop.
Thanks again and I look forward to further support.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2006 03:46 PM
тАО07-15-2006 03:46 PM
Solutionhttp://www.ciscopress.com/articles/article.asp?p=24686&rl=1
With your proposed setup, you will need to enable spanning-tree on each switch. One piece of advice I can give you right now is to configure each switch with every VLAN that is in use on the network, and to make sure all of these VLANs are tagged on all of your switch to switch links (except maybe VLAN 1 which can remain untagged throughout).
The reason for this is that in a failover situation you can sometimes accidently isolate some VLANs. It also keeps things much simpler in the long run, if adding a new VLAN you just need to remember to add it to each switch and then tag their uplinks for that VLAN. Then if a user on a certain switch needs to be a member of a particular VLAN, all you need to do is set an untagged port for that client.
It's not mandatory but I would consider it best practice.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2006 04:02 PM
тАО07-15-2006 04:02 PM
Re: VRRP for Redundancy on 5400
For STP, i guess yes you have to; since you have a redundant link from each edge switch to each core, and From core1 to core2 for VRRP, so you need to enable Spanning Tree, but:
All switch-to-switch links must be tagged members of all VLANs, in case of failure, so Redundancy here is guaranteed.
For PIX Issue, usually In-Line Firewalls in High-Availability (HA) solutions has some configuration to be done in case of one link is down, and one link means (Core1 or Pix1) - (Core2 or PIX2), so i suggest you to have a look at the PIX configuration in HA designs.
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2006 04:19 PM
тАО07-15-2006 04:19 PM
Re: VRRP for Redundancy on 5400
I have to check licensing of failover PIX ASA unit but if they are identical, then should not I simply use one PIX to connect to one core and other to backup core and then run some kind of routing protocol. ASA is a kind of router with RIP and OSPF and static routes support. I am clear about RIP and Static routing but have no knowledge of ospf. Could you guys suggest if running routing between firewalls and Core routers will take care of my issues and if so, could you suggest necessary code for the switches. I will find out what it takes on PIX ASAs.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-16-2006 06:44 PM
тАО07-16-2006 06:44 PM
Re: VRRP for Redundancy on 5400
You've to connect primary pix (inside interface) to both core1 and core2 in the same VLAN. Then configure failover beetween pixes. This works fine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2006 08:26 AM
тАО07-17-2006 08:26 AM
Re: VRRP for Redundancy on 5400
Thanks anyway.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2006 07:14 PM
тАО07-17-2006 07:14 PM
Re: VRRP for Redundancy on 5400
Yes with a external hub o switch (two for redundancy) between pixes and cores.
Otherwise if you only connect core1-pix1(primary) and core2-pix2 with trunking between cores, then if core1 fails, primary pix (pix1) cannot be acceded from core2. Pixes will not make failover automatically if core1 fails.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2006 11:59 PM
тАО07-17-2006 11:59 PM
Re: VRRP for Redundancy on 5400
So I beleive it should all work. Else it becomes too expensive to set up.I laready have two PIXs in failover config and I have a core switch. All I now need is to add another core switch to create a full redundant core and WAN segment. Do you still feel that I am missing something here?
Thanks.