HPE Community
Switches, Hubs, and Modems
1753758 Members
4894 Online
108799 Solutions
New Discussion юеВ

VRRP for Redundancy on 5400

 
SOLVED
Go to solution
procurvenewbee
Frequent Advisor

тАО07-15-2006 12:31 PM

тАО07-15-2006 12:31 PM

VRRP for Redundancy on 5400

I need little help being new to this field, though my basics are clear.

I have a 5406 core switch to which four 3500 access switches are connected. Each 3500 is its own VLAN plus has a management VLAN. Each of these 3500 is then uplinked to 5406 via 4 aggregated (LACP trunks) for increased bandwidth and fault tolerance on the links. 5406 is thus a member of all the VLANs on the network and has an ip address assigned for each VLAN which acts as gateway for all machines on respective VLANs. So this core switch acts as router for all inter-vlan communications. This core router also has a WAN VLAN to which are connected two Cisco PIX firewalls (primary and secondary). Then there is a DMZ VLAN created on the core switch to which is connected two public domain servers (mail-relay and web) and PIX dmz interface of both firewalls is also connected. Everything is working great.

Now there is a need to add a few more closet switches and also to add another backup core switch (5406 again).

I am planning to create the same configuration as main core switch, then run VRRP on both the core switches, on each VLAN. I will connect the two trunk ports of each closet 3500 switch to each of 5406, thus splitting now all four ports on single 5406.

Here is my issue which I need help with from experienced colleagues on this forum.

At this time, I have 4Gbps trunk bandwidth to each 3500, going over to 5406. Now with VRRP, with only one core router being active, I will have only 2Gbps available while other two trunks will be sitting idle (I can not load balance across VLANs as each switch is its own single VLAN).

Further, I also have a server VLAN on the core switch to which are connected four inside HP Proliant servers with two teamed SLB NICs. Now I will have to split these two links to each of the two Core switch thus not beneifiting from the fault tolerance (in case the link to the main core switch is snapped, while that core being active) and from the aggregated 2Gbps bandwidth because of teaming.

Is it possible to run something like dynamic routing with RIP so that both core switches are carrying traffic and thus all uplinks from 3500s and servers are also active all the time until one of the core router is down?

Thanks,
0 Kudos
10 REPLIES 10
Matt Hobbs
Honored Contributor

тАО07-15-2006 01:45 PM

тАО07-15-2006 01:45 PM

Re: VRRP for Redundancy on 5400

What would be absolutely ideal for you would be if you could enable Meshing and IP routing at the same time. Unfortunately at this point in time this is not possible. See if you can make some enquiries with your ProCurve dealer or sales rep to see if this feature will ever be available.

The second option that I can imagine would be using OSPF Equal-Cost Multipath. For this though you would need the Premium Edge License on all switches and would need to bring the routing back to the 3500's as well. If your PIX firewalls are going directly to the internet then you'd probably get limited benefit from this as ECMP "calculates equal-cost next-hop routes for each of the subnets and then distributes per-subnet route assignments across these three routes." i.e, the internet would only be seen as one subnet so load balancing would not really be achieved. Check the Multicast and Routing guide for more info on this feature.

The third option would be to simply buy more hardware so you could go back to having 4 ports going to each 5406. Or look at the 10GbE options instead. And for the ProLiant, add more NICs and purchase the Intelligent Networking Pack license.

Matt

0 Kudos
procurvenewbee
Frequent Advisor

тАО07-15-2006 02:45 PM

тАО07-15-2006 02:45 PM

Re: VRRP for Redundancy on 5400

Thanks matt for your detailed response. I believe I will have to choose Option 3, wherein I will buy additional NIC cards for the servers. I should have few spare ports on each 3500 so that I can use 2 ports from each 3500 to backup 5406 and 4 ports to main core.

But how I am going to make use of two PIX firewalls? If I connect one to main core and other to backup core, with primary PIX connected to main core, the failure of main core will not make secondary PIX as active and hence there will be disconnect with Internet. Any suggestion as to how to switch firewall authomatically when main core fails and backup core becomes active router. I am not sure if this is good idea or even possible to configure few ports (WAN and DMZ segments) on each switch as pure hub and then simply connect these WAN and DMZ hubbed segments on two core switches via ethernet cables.

Finally do I have to run STP on the two VRRP switches on the uplinks to edge switches, as trunks from each edge switch to two core switches might create a loop.

Thanks again and I look forward to further support.
0 Kudos
Matt Hobbs
Honored Contributor

тАО07-15-2006 03:46 PM

тАО07-15-2006 03:46 PM

Solution

Re: VRRP for Redundancy on 5400

I'm not that familiar with the PIX failover process, but I believe they are intelligent enough to failover in that type of situation.

http://www.ciscopress.com/articles/article.asp?p=24686&rl=1

With your proposed setup, you will need to enable spanning-tree on each switch. One piece of advice I can give you right now is to configure each switch with every VLAN that is in use on the network, and to make sure all of these VLANs are tagged on all of your switch to switch links (except maybe VLAN 1 which can remain untagged throughout).

The reason for this is that in a failover situation you can sometimes accidently isolate some VLANs. It also keeps things much simpler in the long run, if adding a new VLAN you just need to remember to add it to each switch and then tag their uplinks for that VLAN. Then if a user on a certain switch needs to be a member of a particular VLAN, all you need to do is set an untagged port for that client.

It's not mandatory but I would consider it best practice.

Mohieddin Kharnoub
Honored Contributor

тАО07-15-2006 04:02 PM

тАО07-15-2006 04:02 PM

Re: VRRP for Redundancy on 5400

Hi

For STP, i guess yes you have to; since you have a redundant link from each edge switch to each core, and From core1 to core2 for VRRP, so you need to enable Spanning Tree, but:
All switch-to-switch links must be tagged members of all VLANs, in case of failure, so Redundancy here is guaranteed.

For PIX Issue, usually In-Line Firewalls in High-Availability (HA) solutions has some configuration to be done in case of one link is down, and one link means (Core1 or Pix1) - (Core2 or PIX2), so i suggest you to have a look at the PIX configuration in HA designs.

Good Luck !!!
Science for Everyone
0 Kudos
procurvenewbee
Frequent Advisor

тАО07-15-2006 04:19 PM

тАО07-15-2006 04:19 PM

Re: VRRP for Redundancy on 5400

Appreciate Folks.

I have to check licensing of failover PIX ASA unit but if they are identical, then should not I simply use one PIX to connect to one core and other to backup core and then run some kind of routing protocol. ASA is a kind of router with RIP and OSPF and static routes support. I am clear about RIP and Static routing but have no knowledge of ospf. Could you guys suggest if running routing between firewalls and Core routers will take care of my issues and if so, could you suggest necessary code for the switches. I will find out what it takes on PIX ASAs.

Thanks
0 Kudos
claramunt_1
Advisor

тАО07-16-2006 06:44 PM

тАО07-16-2006 06:44 PM

Re: VRRP for Redundancy on 5400

procurvenewbee,

You've to connect primary pix (inside interface) to both core1 and core2 in the same VLAN. Then configure failover beetween pixes. This works fine.
0 Kudos
procurvenewbee
Frequent Advisor

тАО07-17-2006 08:26 AM

тАО07-17-2006 08:26 AM

Re: VRRP for Redundancy on 5400

But how can you connect a single interface of PIX to both core switches (unless you use an external Hub, which I do not want to use to add another failure point). I am sure if I connect PIX 1 to core 1 and PIX2 to core 2 and because of trunking between the two cores, it should work as if both PIXs are directly connected to same core.

Thanks anyway.
0 Kudos
claramunt_1
Advisor

тАО07-17-2006 07:14 PM

тАО07-17-2006 07:14 PM

Re: VRRP for Redundancy on 5400


Yes with a external hub o switch (two for redundancy) between pixes and cores.
Otherwise if you only connect core1-pix1(primary) and core2-pix2 with trunking between cores, then if core1 fails, primary pix (pix1) cannot be acceded from core2. Pixes will not make failover automatically if core1 fails.
0 Kudos
procurvenewbee
Frequent Advisor

тАО07-17-2006 11:59 PM

тАО07-17-2006 11:59 PM

Re: VRRP for Redundancy on 5400

PIX interfaces need a layer 2 connectivity (physical or VLAN) thru a hub, a switch VLAN or thru two separate switches on same VLAN segments joined of course by a L2 trunk to provide layer 2 connectivity between same VLAN segments on the two switches. As per that logic, the hearbeat pulses wil be passed back and forth all the PIX interfaces. So if Core 1 fails, then core 2 interfaces (or an interface, depending upon the extent of core 1 failure) will not get the heartbeat and hence PIX2 will become active and also Core 2 will become active because of VRRP. Even if only one of the VLAN interface fails, while WAN VLAN on both core switches ( where we have PIX inside interfaces connected) are still available, then PIX1 will remain active and failed VLAN will use core 2 (which will become active for that failed VLAN) and then use L2 trunk between the cores to get back to core 1 and hence to PIX1 connected to Core 1.

So I beleive it should all work. Else it becomes too expensive to set up.I laready have two PIXs in failover config and I have a core switch. All I now need is to add another core switch to create a full redundant core and WAN segment. Do you still feel that I am missing something here?

Thanks.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.