Two ethernet ports on 2600 to same vlan

Discussion in 'Cisco' started by Dan Jenkins, Feb 17, 2004.

  1. Dan Jenkins

    Dan Jenkins Guest

    Hello all,
    I'm hoping someone can help me with this. I have a situation where we
    are putting a pair of firewalls to protect a site from a managed
    global WAN. There is only 1 WAN router (single point of failure) but
    it has two ethernet interfaces. To implement a fully resilient
    firewall infrastructure i need to place two switches between the
    firewalls and this router. I'll link them with a trunk and patch the
    'outside' firewall interfaces to each switch (i.e fw1 to switch 1 and
    fw2 to switch 2).
    Now, I know that the router is a spof but want to use the two lan
    ports to connect to both switches, so in the case of a switch failure
    we don't lose router connectivity completely and have to move the
    patch physically. So i need to do some kind of 'backup interface' on
    the ethernet side. Is this possible ? I can only find details on
    backup interfaces related to DDR and Serial lines. Has anyone done
    this ?
    I remember that years ago with bay routers you could assign two phys
    interfaces to the single logical ip interface whioch would suit me
    down to the ground here.
    Any help would be much appreciated. TIA.
    Dan
    Dan Jenkins, Feb 17, 2004
    #1
    1. Advertising

  2. Dan Jenkins

    mark v. Guest

    " (Dan Jenkins) wrote in message news:<>...
    > Hello all,
    > I'm hoping someone can help me with this. I have a situation where we
    > are putting a pair of firewalls to protect a site from a managed
    > global WAN. There is only 1 WAN router (single point of failure) but
    > it has two ethernet interfaces. To implement a fully resilient
    > firewall infrastructure i need to place two switches between the
    > firewalls and this router. I'll link them with a trunk and patch the
    > 'outside' firewall interfaces to each switch (i.e fw1 to switch 1 and
    > fw2 to switch 2).
    > Now, I know that the router is a spof but want to use the two lan
    > ports to connect to both switches, so in the case of a switch failure
    > we don't lose router connectivity completely and have to move the
    > patch physically. So i need to do some kind of 'backup interface' on
    > the ethernet side. Is this possible ? I can only find details on
    > backup interfaces related to DDR and Serial lines. Has anyone done
    > this ?
    > I remember that years ago with bay routers you could assign two phys
    > interfaces to the single logical ip interface whioch would suit me
    > down to the ground here.
    > Any help would be much appreciated. TIA.
    > Dan "


    I used IRB to put the same address and vlan on two ports. Read up on
    it. It goes something like this.
    Create bridge group, assign both ports to bridge group , assign ip
    address to bridge group. Its been a while so I may be less than 100%
    accurate.
    Cheers
    mark v., Feb 17, 2004
    #2
    1. Advertising

  3. Dan Jenkins

    Dan Jenkins Guest

    Thanks linuxmanvan. I'm delving into cisco.com for irb info now.
    rgds
    Dan


    (mark v.) wrote in message news:<>...
    > " (Dan Jenkins) wrote in message news:<>...
    > > Hello all,
    > > I'm hoping someone can help me with this. I have a situation where we
    > > are putting a pair of firewalls to protect a site from a managed
    > > global WAN. There is only 1 WAN router (single point of failure) but
    > > it has two ethernet interfaces. To implement a fully resilient
    > > firewall infrastructure i need to place two switches between the
    > > firewalls and this router. I'll link them with a trunk and patch the
    > > 'outside' firewall interfaces to each switch (i.e fw1 to switch 1 and
    > > fw2 to switch 2).
    > > Now, I know that the router is a spof but want to use the two lan
    > > ports to connect to both switches, so in the case of a switch failure
    > > we don't lose router connectivity completely and have to move the
    > > patch physically. So i need to do some kind of 'backup interface' on
    > > the ethernet side. Is this possible ? I can only find details on
    > > backup interfaces related to DDR and Serial lines. Has anyone done
    > > this ?
    > > I remember that years ago with bay routers you could assign two phys
    > > interfaces to the single logical ip interface whioch would suit me
    > > down to the ground here.
    > > Any help would be much appreciated. TIA.
    > > Dan "

    >
    > I used IRB to put the same address and vlan on two ports. Read up on
    > it. It goes something like this.
    > Create bridge group, assign both ports to bridge group , assign ip
    > address to bridge group. Its been a while so I may be less than 100%
    > accurate.
    > Cheers
    Dan Jenkins, Feb 18, 2004
    #3
  4. In article <>,
    Dan Jenkins <> wrote:
    >Hello all,
    >I'm hoping someone can help me with this. I have a situation where we
    >are putting a pair of firewalls to protect a site from a managed
    >global WAN. There is only 1 WAN router (single point of failure) but
    >it has two ethernet interfaces. To implement a fully resilient
    >firewall infrastructure i need to place two switches between the
    >firewalls and this router. I'll link them with a trunk and patch the
    >'outside' firewall interfaces to each switch (i.e fw1 to switch 1 and
    >fw2 to switch 2).
    >Now, I know that the router is a spof but want to use the two lan
    >ports to connect to both switches, so in the case of a switch failure
    >we don't lose router connectivity completely and have to move the
    >patch physically. So i need to do some kind of 'backup interface' on
    >the ethernet side. Is this possible ? I can only find details on
    >backup interfaces related to DDR and Serial lines. Has anyone done
    >this ?
    >I remember that years ago with bay routers you could assign two phys
    >interfaces to the single logical ip interface whioch would suit me
    >down to the ground here.
    >Any help would be much appreciated. TIA.
    >Dan


    Backup interface will not work (consider that if the Ethernet I/F on
    the firewall fails, the path is dead but the router's Ethernet I/F
    is still UP/UP.

    While IRB is one approach, a cleaner approach (and one that won't
    consume your WAN router's CPU) is to assign each interface a unique IP
    subnet, and treat each firewall - switch - WAN router combination
    as a unique path to the outside. I have done this with two routers
    inside the firewalls and two routers outside the firewalls, but there
    is no reason you could not use the same approach with only one router
    outside the firewall (although you then wind up with only two paths
    instead of four). See the white paper "Configuration for Transparently
    Redundant Firewalls" on my web site (or Chapter 9 of my book for all
    the gory details).

    Warning Note: While it may be tempting to use GRE tunnels through
    the firewalls to support simple routing, doing so short circuits any
    security provided by the firewalls.

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
    Vincent C Jones, Feb 19, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter
    Replies:
    2
    Views:
    1,037
  2. Kay
    Replies:
    4
    Views:
    2,845
    BradReeseCom
    Jan 12, 2005
  3. Mike
    Replies:
    27
    Views:
    1,475
  4. paul1537
    Replies:
    0
    Views:
    1,717
    paul1537
    May 15, 2008
  5. JF Mezei
    Replies:
    3
    Views:
    1,177
    kirandeepmittal
    Nov 23, 2010
Loading...

Share This Page