«

Hi,

I'm setting up a new colocation cabinet, and am trying to implement a
redundant network architecture. If you wouldn't mind taking a look to
see if I'm on the right track:

(1) 2 fast ethernet connections from ISP, each connected to a separate
router, with HSRP failover configured between them. (This is a
multihomed mix of several upstream providers.)
(2) An unmanaged fast ethernet switch for the two ISP connections, and
one connection to each of the firewalls.
(3) Two Cisco ASA 5510 firewalls, with a direct failover link
(crossover cable) between them, connected to the front-end switch on
the outside interfaces, and to internal switches on the internal
interfaces. Each inside interface is connected to one of the internal
switches.
(4) Two HP Procurve 2824 switches. Each one is connected to exactly
one of the firewalls. They also have an 802.1Q trunk connection
between them. I'll configure several VLANs to connect to these
switches. The switches run STP to eliminate loops.
(5) About 12 servers, each with redundant NICs. Each NIC is connected
to one of the Procurve switches.

Failure modes:
-- Server NIC or single port on the Procurve fails: STP on the
Procurves recalculates the tree and the other connection takes over.
-- One of the Procurves fails: The connected firewall will detect a
failure and failover to the backup unit. The other Procurve will use
STP to recalculate the tree and the servers will remain connected via
their secondary NICs.
-- One of the firewalls fails: Failover will be initiated and the
backup firewall will take over. STP will recalculate the tree and
traffic can still flow through the backup firewall.
-- The front-end switch fails: I'm hosed. This is the piece I need
help with. Is it possible to introduce redundancy here? What is the
proper way to aggregate these two connections given that only one of
them is active at any given time?
-- One of the ISPs routers fails: HSRP will kick in and I'll retain
connectivity through the second drop.

Networking is not my specialty, so I'd appreciate your guidance /
feedback.

Thanks,
Matt

On Jun 18, 9:45 pm, molson8472 <mo8...@gmail.com> wrote:
> Hi,
>
> I'm setting up a new colocation cabinet, and am trying to implement a
> redundant network architecture. If you wouldn't mind taking a look to
> see if I'm on the right track:
>
> (1) 2 fast ethernet connections from ISP, each connected to a separate
> router, with HSRP failover configured between them. (This is a
> multihomed mix of several upstream providers.)
> (2) An unmanaged fast ethernet switch for the two ISP connections, and
> one connection to each of the firewalls.
> (3) Two Cisco ASA 5510 firewalls, with a direct failover link
> (crossover cable) between them, connected to the front-end switch on
> the outside interfaces, and to internal switches on the internal
> interfaces. Each inside interface is connected to one of the internal
> switches.
> (4) Two HP Procurve 2824 switches. Each one is connected to exactly
> one of the firewalls. They also have an 802.1Q trunk connection
> between them. I'll configure several VLANs to connect to these
> switches. The switches run STP to eliminate loops.
> (5) About 12 servers, each with redundant NICs. Each NIC is connected
> to one of the Procurve switches.
>
> Failure modes:
> -- Server NIC or single port on the Procurve fails: STP on the
> Procurves recalculates the tree and the other connection takes over.
> -- One of the Procurves fails: The connected firewall will detect a
> failure and failover to the backup unit. The other Procurve will use
> STP to recalculate the tree and the servers will remain connected via
> their secondary NICs.
> -- One of the firewalls fails: Failover will be initiated and the
> backup firewall will take over. STP will recalculate the tree and
> traffic can still flow through the backup firewall.
> -- The front-end switch fails: I'm hosed. This is the piece I need
> help with. Is it possible to introduce redundancy here? What is the
> proper way to aggregate these two connections given that only one of
> them is active at any given time?
> -- One of the ISPs routers fails: HSRP will kick in and I'll retain
> connectivity through the second drop.
>
> Networking is not my specialty, so I'd appreciate your guidance /
> feedback.
>
> Thanks,
> Matt

Because you only have unmanaged switches for your ISP and Firewall
connections, that is definitely a single point of failure. For true
redundancy here, you need each router (to your ISP) dual homed to a
pair of switches, which then go to the firewalls, which then go back
to your internal core of your network (again at least a pair, and
servers will be dual homed to both). Also, are you seeking load
balancing when everything is working, or this does not matter at this
time? If that is the case, you'll need to think through load
balancing options (at least for traffic going external). Load
Balancing traffic back in is a whole different game as it requires
working closely with both providers, but for external, you can run
dynamic routing protocols, have matching static routes, but your
firewalls may introduce additional complexity depending on how they
are being used.

Also, yes HSRP will work for outgoing traffic, but you want to make
sure that both providers or connections are both advertising your
external IP ranges into BGP, or a downed internet router may still
result in an outage (traffic can get out, but not back in).

On Jun 19, 4:19 am, Trendkill <jpma...@gmail.com> wrote:
>
> Because you only have unmanaged switches for your ISP and Firewall
> connections, that is definitely a single point of failure. For true
> redundancy here, you need each router (to your ISP) dual homed to a
> pair of switches, which then go to the firewalls, which then go back
> to your internal core of your network (again at least a pair, and
> servers will be dual homed to both). Also, are you seeking load
> balancing when everything is working, or this does not matter at this
> time? If that is the case, you'll need to think through load
> balancing options (at least for traffic going external). Load
> Balancing traffic back in is a whole different game as it requires
> working closely with both providers, but for external, you can run
> dynamic routing protocols, have matching static routes, but your
> firewalls may introduce additional complexity depending on how they
> are being used.
>
> Also, yes HSRP will work for outgoing traffic, but you want to make
> sure that both providers or connections are both advertising your
> external IP ranges into BGP, or a downed internet router may still
> result in an outage (traffic can get out, but not back in).

I've got two connections to the same ISP (connected to two of their
routers), with HSRP running on their routers. And yes, they are
advertising my IPs with BGP further out into the core.

Load balancing across connections is not a concern here -- I am just
looking for redundancy and no single points of failure.

I think that with the combination of the ASA failover mechanism, STP
on the interior switches, and dual homing of the servers to separate
switches, I have full redundancy and automatic failover for the
firewalls and everything inside the firewalls.

But the question is dealing with the two HSRP connections from the
ISP. If I put two switches outside the firewalls, and connect each of
the ISP connections to one, and connect them to each other, I think
I'd be OK. In the case of one of the outside switches failing, the ISP
routers should detect the failure because they will no longer be able
to send HSRP messages on the local segment, triggering an HSRP
failover. At the same time, my primary firewall should detect a
failure and failover to the secondary firewall since it will be
connected to the second ISP connection. Does that sound right?

I've posted a diagram just to be as clear as possible. Please poke as
many holes as you can in this setup and let me know if I'm on the
right track for full redundancy and no single points of failure (aside
from my upstream ISP). I'd like to find out now before buying a bunch
of equipment.
http://rubycloud.com/images/network.jpg

Thanks,
Matt

On Jun 19, 2:54 pm, molson8472 <mo8...@gmail.com> wrote:
> On Jun 19, 4:19 am, Trendkill <jpma...@gmail.com> wrote:
>
>
>
>
>
> > Because you only have unmanaged switches for your ISP and Firewall
> > connections, that is definitely a single point of failure. For true
> > redundancy here, you need each router (to your ISP) dual homed to a
> > pair of switches, which then go to the firewalls, which then go back
> > to your internal core of your network (again at least a pair, and
> > servers will be dual homed to both). Also, are you seeking load
> > balancing when everything is working, or this does not matter at this
> > time? If that is the case, you'll need to think through load
> > balancing options (at least for traffic going external). Load
> > Balancing traffic back in is a whole different game as it requires
> > working closely with both providers, but for external, you can run
> > dynamic routing protocols, have matching static routes, but your
> > firewalls may introduce additional complexity depending on how they
> > are being used.
>
> > Also, yes HSRP will work for outgoing traffic, but you want to make
> > sure that both providers or connections are both advertising your
> > external IP ranges into BGP, or a downed internet router may still
> > result in an outage (traffic can get out, but not back in).
>
> I've got two connections to the same ISP (connected to two of their
> routers), with HSRP running on their routers. And yes, they are
> advertising my IPs with BGP further out into the core.
>
> Load balancing across connections is not a concern here -- I am just
> looking for redundancy and no single points of failure.
>
> I think that with the combination of the ASA failover mechanism, STP
> on the interior switches, and dual homing of the servers to separate
> switches, I have full redundancy and automatic failover for the
> firewalls and everything inside the firewalls.
>
> But the question is dealing with the two HSRP connections from the
> ISP. If I put two switches outside the firewalls, and connect each of
> the ISP connections to one, and connect them to each other, I think
> I'd be OK. In the case of one of the outside switches failing, the ISP
> routers should detect the failure because they will no longer be able
> to send HSRP messages on the local segment, triggering an HSRP
> failover. At the same time, my primary firewall should detect a
> failure and failover to the secondary firewall since it will be
> connected to the second ISP connection. Does that sound right?
>
> I've posted a diagram just to be as clear as possible. Please poke as
> many holes as you can in this setup and let me know if I'm on the
> right track for full redundancy and no single points of failure (aside
> from my upstream ISP). I'd like to find out now before buying a bunch
> of equipment. http://rubycloud.com/images/network.jpg
>
> Thanks,
> Matt

You mentioned:

>In the case of one of the outside switches failing, the ISP
> routers should detect the failure because they will no longer be able
> to send HSRP messages on the local segment, triggering an HSRP
> failover. At the same time, my primary firewall should detect a
> failure and failover to the secondary firewall since it will be
> connected to the second ISP connection. Does that sound right?

So if the ISP has 2 routers, and they simply plug into your switches,
then I don't see a technical reason that you need to run STP. I don't
see a loop formed in any case. So, unmanaged switches should work.
On the other hand, managed switches are probably important to you, if
you want to poll these switches via an NMS system to detect failures,
etc. So if 1 switch dies, and you don't know about it, you now have a
single point of failure!

STP is required for each VLAN on your internal switches. I'd set the
stp root to be the left hand switches (as well as HSRP active).

-Dan
http://ccie-lounge.blogspot.com

molson8472 wrote:
>
> I've got two connections to the same ISP (connected to two of their
> routers), with HSRP running on their routers. And yes, they are
> advertising my IPs with BGP further out into the core.
>
> Load balancing across connections is not a concern here -- I am just
> looking for redundancy and no single points of failure.
>
> I think that with the combination of the ASA failover mechanism, STP
> on the interior switches, and dual homing of the servers to separate
> switches, I have full redundancy and automatic failover for the
> firewalls and everything inside the firewalls.
>
> But the question is dealing with the two HSRP connections from the
> ISP. If I put two switches outside the firewalls, and connect each of
> the ISP connections to one, and connect them to each other, I think
> I'd be OK. In the case of one of the outside switches failing, the ISP
> routers should detect the failure because they will no longer be able
> to send HSRP messages on the local segment, triggering an HSRP
> failover. At the same time, my primary firewall should detect a
> failure and failover to the secondary firewall since it will be
> connected to the second ISP connection. Does that sound right?
>
> I've posted a diagram just to be as clear as possible. Please poke as
> many holes as you can in this setup and let me know if I'm on the
> right track for full redundancy and no single points of failure (aside
> from my upstream ISP). I'd like to find out now before buying a bunch
> of equipment.
> http://rubycloud.com/images/network.jpg
>
> Thanks,
> Matt

Your explanation is good... as far as it goes. Here are some general holes
you have not covered:

Effective redundancy requires three things: the ability to detect failure,
the ability to do something to get around detected failures, and enough
diversity so that whatever causes the first failure does not also cause the
alternate mode to fail (think cables in a bundle or common power source).

IP communications requires the redundancy to work bidirectionally. That is,
not only do you need to properly reroute outbound packets, but also the
responses to those packets. HSRP only handles getting packets from your
firewall to your ISP, and not necessarily even that much. Are there any
switches between your switches and the ISP's routers? How does the ISP
detect failure of a link between one of its routers and your switch (not
just for HSRP but also for sending traffic to you). Hint--do not assume
that link problems with cause the Ethernet interface to go down...that only
happens most of the time.

Maintaining high availability also requires continuous vigilance (network
monitoring and management). It does not help you long term if you have no
mechanism to detect that you have failed over and are running on backup.
You will need to determine just how much availability you really need and
how much you are willing to pay for if you can get it. If all you want is a
pretty picture to impress clients, you're done. If you really care about
high availability, you've only just begun to scratch the surface.

Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com