handling hsrp connections from isp

Discussion in 'Cisco' started by molson8472, Jun 19, 2007.

  1. molson8472

    molson8472 Guest

    Hi,

    I'm setting up a new colocation cabinet, and am trying to implement a
    redundant network architecture. If you wouldn't mind taking a look to
    see if I'm on the right track:

    (1) 2 fast ethernet connections from ISP, each connected to a separate
    router, with HSRP failover configured between them. (This is a
    multihomed mix of several upstream providers.)
    (2) An unmanaged fast ethernet switch for the two ISP connections, and
    one connection to each of the firewalls.
    (3) Two Cisco ASA 5510 firewalls, with a direct failover link
    (crossover cable) between them, connected to the front-end switch on
    the outside interfaces, and to internal switches on the internal
    interfaces. Each inside interface is connected to one of the internal
    switches.
    (4) Two HP Procurve 2824 switches. Each one is connected to exactly
    one of the firewalls. They also have an 802.1Q trunk connection
    between them. I'll configure several VLANs to connect to these
    switches. The switches run STP to eliminate loops.
    (5) About 12 servers, each with redundant NICs. Each NIC is connected
    to one of the Procurve switches.

    Failure modes:
    -- Server NIC or single port on the Procurve fails: STP on the
    Procurves recalculates the tree and the other connection takes over.
    -- One of the Procurves fails: The connected firewall will detect a
    failure and failover to the backup unit. The other Procurve will use
    STP to recalculate the tree and the servers will remain connected via
    their secondary NICs.
    -- One of the firewalls fails: Failover will be initiated and the
    backup firewall will take over. STP will recalculate the tree and
    traffic can still flow through the backup firewall.
    -- The front-end switch fails: I'm hosed. This is the piece I need
    help with. Is it possible to introduce redundancy here? What is the
    proper way to aggregate these two connections given that only one of
    them is active at any given time?
    -- One of the ISPs routers fails: HSRP will kick in and I'll retain
    connectivity through the second drop.

    Networking is not my specialty, so I'd appreciate your guidance /
    feedback.

    Thanks,
    Matt
    molson8472, Jun 19, 2007
    #1
    1. Advertising

  2. molson8472

    Trendkill Guest

    On Jun 18, 9:45 pm, molson8472 <> wrote:
    > Hi,
    >
    > I'm setting up a new colocation cabinet, and am trying to implement a
    > redundant network architecture. If you wouldn't mind taking a look to
    > see if I'm on the right track:
    >
    > (1) 2 fast ethernet connections from ISP, each connected to a separate
    > router, with HSRP failover configured between them. (This is a
    > multihomed mix of several upstream providers.)
    > (2) An unmanaged fast ethernet switch for the two ISP connections, and
    > one connection to each of the firewalls.
    > (3) Two Cisco ASA 5510 firewalls, with a direct failover link
    > (crossover cable) between them, connected to the front-end switch on
    > the outside interfaces, and to internal switches on the internal
    > interfaces. Each inside interface is connected to one of the internal
    > switches.
    > (4) Two HP Procurve 2824 switches. Each one is connected to exactly
    > one of the firewalls. They also have an 802.1Q trunk connection
    > between them. I'll configure several VLANs to connect to these
    > switches. The switches run STP to eliminate loops.
    > (5) About 12 servers, each with redundant NICs. Each NIC is connected
    > to one of the Procurve switches.
    >
    > Failure modes:
    > -- Server NIC or single port on the Procurve fails: STP on the
    > Procurves recalculates the tree and the other connection takes over.
    > -- One of the Procurves fails: The connected firewall will detect a
    > failure and failover to the backup unit. The other Procurve will use
    > STP to recalculate the tree and the servers will remain connected via
    > their secondary NICs.
    > -- One of the firewalls fails: Failover will be initiated and the
    > backup firewall will take over. STP will recalculate the tree and
    > traffic can still flow through the backup firewall.
    > -- The front-end switch fails: I'm hosed. This is the piece I need
    > help with. Is it possible to introduce redundancy here? What is the
    > proper way to aggregate these two connections given that only one of
    > them is active at any given time?
    > -- One of the ISPs routers fails: HSRP will kick in and I'll retain
    > connectivity through the second drop.
    >
    > Networking is not my specialty, so I'd appreciate your guidance /
    > feedback.
    >
    > Thanks,
    > Matt


    Because you only have unmanaged switches for your ISP and Firewall
    connections, that is definitely a single point of failure. For true
    redundancy here, you need each router (to your ISP) dual homed to a
    pair of switches, which then go to the firewalls, which then go back
    to your internal core of your network (again at least a pair, and
    servers will be dual homed to both). Also, are you seeking load
    balancing when everything is working, or this does not matter at this
    time? If that is the case, you'll need to think through load
    balancing options (at least for traffic going external). Load
    Balancing traffic back in is a whole different game as it requires
    working closely with both providers, but for external, you can run
    dynamic routing protocols, have matching static routes, but your
    firewalls may introduce additional complexity depending on how they
    are being used.

    Also, yes HSRP will work for outgoing traffic, but you want to make
    sure that both providers or connections are both advertising your
    external IP ranges into BGP, or a downed internet router may still
    result in an outage (traffic can get out, but not back in).
    Trendkill, Jun 19, 2007
    #2
    1. Advertising

  3. molson8472

    molson8472 Guest

    On Jun 19, 4:19 am, Trendkill <> wrote:
    >
    > Because you only have unmanaged switches for your ISP and Firewall
    > connections, that is definitely a single point of failure. For true
    > redundancy here, you need each router (to your ISP) dual homed to a
    > pair of switches, which then go to the firewalls, which then go back
    > to your internal core of your network (again at least a pair, and
    > servers will be dual homed to both). Also, are you seeking load
    > balancing when everything is working, or this does not matter at this
    > time? If that is the case, you'll need to think through load
    > balancing options (at least for traffic going external). Load
    > Balancing traffic back in is a whole different game as it requires
    > working closely with both providers, but for external, you can run
    > dynamic routing protocols, have matching static routes, but your
    > firewalls may introduce additional complexity depending on how they
    > are being used.
    >
    > Also, yes HSRP will work for outgoing traffic, but you want to make
    > sure that both providers or connections are both advertising your
    > external IP ranges into BGP, or a downed internet router may still
    > result in an outage (traffic can get out, but not back in).


    I've got two connections to the same ISP (connected to two of their
    routers), with HSRP running on their routers. And yes, they are
    advertising my IPs with BGP further out into the core.

    Load balancing across connections is not a concern here -- I am just
    looking for redundancy and no single points of failure.

    I think that with the combination of the ASA failover mechanism, STP
    on the interior switches, and dual homing of the servers to separate
    switches, I have full redundancy and automatic failover for the
    firewalls and everything inside the firewalls.

    But the question is dealing with the two HSRP connections from the
    ISP. If I put two switches outside the firewalls, and connect each of
    the ISP connections to one, and connect them to each other, I think
    I'd be OK. In the case of one of the outside switches failing, the ISP
    routers should detect the failure because they will no longer be able
    to send HSRP messages on the local segment, triggering an HSRP
    failover. At the same time, my primary firewall should detect a
    failure and failover to the secondary firewall since it will be
    connected to the second ISP connection. Does that sound right?

    I've posted a diagram just to be as clear as possible. Please poke as
    many holes as you can in this setup and let me know if I'm on the
    right track for full redundancy and no single points of failure (aside
    from my upstream ISP). I'd like to find out now before buying a bunch
    of equipment. :)
    http://rubycloud.com/images/network.jpg

    Thanks,
    Matt
    molson8472, Jun 19, 2007
    #3
  4. molson8472

    dman1973 Guest

    On Jun 19, 2:54 pm, molson8472 <> wrote:
    > On Jun 19, 4:19 am, Trendkill <> wrote:
    >
    >
    >
    >
    >
    > > Because you only have unmanaged switches for your ISP and Firewall
    > > connections, that is definitely a single point of failure. For true
    > > redundancy here, you need each router (to your ISP) dual homed to a
    > > pair of switches, which then go to the firewalls, which then go back
    > > to your internal core of your network (again at least a pair, and
    > > servers will be dual homed to both). Also, are you seeking load
    > > balancing when everything is working, or this does not matter at this
    > > time? If that is the case, you'll need to think through load
    > > balancing options (at least for traffic going external). Load
    > > Balancing traffic back in is a whole different game as it requires
    > > working closely with both providers, but for external, you can run
    > > dynamic routing protocols, have matching static routes, but your
    > > firewalls may introduce additional complexity depending on how they
    > > are being used.

    >
    > > Also, yes HSRP will work for outgoing traffic, but you want to make
    > > sure that both providers or connections are both advertising your
    > > external IP ranges into BGP, or a downed internet router may still
    > > result in an outage (traffic can get out, but not back in).

    >
    > I've got two connections to the same ISP (connected to two of their
    > routers), with HSRP running on their routers. And yes, they are
    > advertising my IPs with BGP further out into the core.
    >
    > Load balancing across connections is not a concern here -- I am just
    > looking for redundancy and no single points of failure.
    >
    > I think that with the combination of the ASA failover mechanism, STP
    > on the interior switches, and dual homing of the servers to separate
    > switches, I have full redundancy and automatic failover for the
    > firewalls and everything inside the firewalls.
    >
    > But the question is dealing with the two HSRP connections from the
    > ISP. If I put two switches outside the firewalls, and connect each of
    > the ISP connections to one, and connect them to each other, I think
    > I'd be OK. In the case of one of the outside switches failing, the ISP
    > routers should detect the failure because they will no longer be able
    > to send HSRP messages on the local segment, triggering an HSRP
    > failover. At the same time, my primary firewall should detect a
    > failure and failover to the secondary firewall since it will be
    > connected to the second ISP connection. Does that sound right?
    >
    > I've posted a diagram just to be as clear as possible. Please poke as
    > many holes as you can in this setup and let me know if I'm on the
    > right track for full redundancy and no single points of failure (aside
    > from my upstream ISP). I'd like to find out now before buying a bunch
    > of equipment. :)http://rubycloud.com/images/network.jpg
    >
    > Thanks,
    > Matt


    You mentioned:

    >In the case of one of the outside switches failing, the ISP
    > routers should detect the failure because they will no longer be able
    > to send HSRP messages on the local segment, triggering an HSRP
    > failover. At the same time, my primary firewall should detect a
    > failure and failover to the secondary firewall since it will be
    > connected to the second ISP connection. Does that sound right?


    So if the ISP has 2 routers, and they simply plug into your switches,
    then I don't see a technical reason that you need to run STP. I don't
    see a loop formed in any case. So, unmanaged switches should work.
    On the other hand, managed switches are probably important to you, if
    you want to poll these switches via an NMS system to detect failures,
    etc. So if 1 switch dies, and you don't know about it, you now have a
    single point of failure!

    STP is required for each VLAN on your internal switches. I'd set the
    stp root to be the left hand switches (as well as HSRP active).

    -Dan
    http://ccie-lounge.blogspot.com
    dman1973, Jun 20, 2007
    #4
  5. molson8472 wrote:
    >
    > I've got two connections to the same ISP (connected to two of their
    > routers), with HSRP running on their routers. And yes, they are
    > advertising my IPs with BGP further out into the core.
    >
    > Load balancing across connections is not a concern here -- I am just
    > looking for redundancy and no single points of failure.
    >
    > I think that with the combination of the ASA failover mechanism, STP
    > on the interior switches, and dual homing of the servers to separate
    > switches, I have full redundancy and automatic failover for the
    > firewalls and everything inside the firewalls.
    >
    > But the question is dealing with the two HSRP connections from the
    > ISP. If I put two switches outside the firewalls, and connect each of
    > the ISP connections to one, and connect them to each other, I think
    > I'd be OK. In the case of one of the outside switches failing, the ISP
    > routers should detect the failure because they will no longer be able
    > to send HSRP messages on the local segment, triggering an HSRP
    > failover. At the same time, my primary firewall should detect a
    > failure and failover to the secondary firewall since it will be
    > connected to the second ISP connection. Does that sound right?
    >
    > I've posted a diagram just to be as clear as possible. Please poke as
    > many holes as you can in this setup and let me know if I'm on the
    > right track for full redundancy and no single points of failure (aside
    > from my upstream ISP). I'd like to find out now before buying a bunch
    > of equipment. :)
    > http://rubycloud.com/images/network.jpg
    >
    > Thanks,
    > Matt


    Your explanation is good... as far as it goes. Here are some general holes
    you have not covered:

    Effective redundancy requires three things: the ability to detect failure,
    the ability to do something to get around detected failures, and enough
    diversity so that whatever causes the first failure does not also cause the
    alternate mode to fail (think cables in a bundle or common power source).

    IP communications requires the redundancy to work bidirectionally. That is,
    not only do you need to properly reroute outbound packets, but also the
    responses to those packets. HSRP only handles getting packets from your
    firewall to your ISP, and not necessarily even that much. Are there any
    switches between your switches and the ISP's routers? How does the ISP
    detect failure of a link between one of its routers and your switch (not
    just for HSRP but also for sending traffic to you). Hint--do not assume
    that link problems with cause the Ethernet interface to go down...that only
    happens most of the time.

    Maintaining high availability also requires continuous vigilance (network
    monitoring and management). It does not help you long term if you have no
    mechanism to detect that you have failed over and are running on backup.
    You will need to determine just how much availability you really need and
    how much you are willing to pay for if you can get it. If all you want is a
    pretty picture to impress clients, you're done. If you really care about
    high availability, you've only just begun to scratch the surface.

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
    Vincent C Jones, Jun 21, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gary
    Replies:
    2
    Views:
    1,857
    shope
    Oct 19, 2003
  2. henry

    HSRP over two different ISP

    henry, Apr 27, 2004, in forum: Cisco
    Replies:
    1
    Views:
    602
    Barry Margolin
    Apr 27, 2004
  3. Marskarthik
    Replies:
    1
    Views:
    2,161
    Charlie Root
    Mar 3, 2006
  4. Replies:
    5
    Views:
    7,709
    Vincent C Jones
    Jun 16, 2006
  5. Crash

    Handling multiple network connections.

    Crash, Jul 5, 2006, in forum: NZ Computing
    Replies:
    5
    Views:
    316
    steve
    Jul 10, 2006
Loading...

Share This Page