1. Home
  2. Cisco Systems
  3. Failover with two switches ..

Failover with two switches ..

Hi,

I have two switches (a 2950 and a slightly older one I think), I've a small LAN behind two 515e's (in failover mode). I'd really like to get some redundancy out of the two switches .. I've only got 4 machine behind them, so plenty of spare ports, I was thinking of having some spare ports on the machines failover in case of switch failure .. however, I use one of the switches between the firewalls and my co-lo's provided port ..

Network is like this :

[ Co Lo Port ] | [ Switch 1 ] | [ 2 x 515e ] | [ Switch 2 ] | [ Client Machines ]

The 515e's have 6 ports, three are used (in, out and failover) .. what I'd like is for the client machines to be able to route out via switch 1 (back through the 515's) in case Switch 2 failed. And vice versa.

All the clients run solaris 10, and have dual port ethernet.

Is this feasible?

Regards,

Dan

Reply to
Danny
Loading thread data ...

I have two switches (a 2950 and a slightly older one I think), I've a small LAN behind two 515e's (in failover mode). I'd really like to get some redundancy out of the two switches .. I've only got 4 machine behind them, so plenty of spare ports, I was

thinking of having some spare ports on the machines failover in case of switch failure .. however, I use one of the switches between the firewalls and my co-lo's provided

port ..

All the clients run solaris 10, and have dual port ethernet.

Is this feasible?

Yes, setup the NIC failover for the hosts, and each switch gets two vlans. One "inside" vlan and one "outside" vlan. Hosts connect to the inside vlan along with the PIX inside interfaces. The firewalls will connect to the same switches again for thier outside interface. This time it will be on a different vlan, the "outside" vlan, along with your CoLo port.

Reply to
Kevin Widner

There is a significant security risk to doing this.

You could inadvertently place an inside device on an outside VLAN bypassing your firewall.

Reply to
Merv

Thanks guys, I thought that VLAN was the way to go, I think the tricky bit will be on the 515's then .. getting them to have two "inside" interfaces .. one to each "inside" VLAN.

Regards,

Danny

Reply to
Danny

There is a significant security risk to doing this.

You could inadvertently place an inside device on an outside VLAN bypassing your firewall.

The "risk" would only come from human error. There should be rarely, if ever, a need to have anything in the outside vlan other than the two outside pix interfaces and the CoLo port. Just configure the switches to have only three outside vlan ports and set everything else up for "inside" connectivity and turn off trunking except between the two switches (Important: I forgot to tell you this earlier Danny, you will want to run a cable between your two switches and set it up as a "trunk"). Physically label the ports if you must.

Reply to
Kevin Widner

Thanks guys, I thought that VLAN was the way to go, I think the tricky bit will be on the 515's then .. getting them to have two "inside" interfaces .. one to each "inside" VLAN.

You would still only have 1 inside and 1 outside interface for your PIX after you are done. What I forgot to mention earlier is that the two switches will be connected together using a trunk. That means they will share the same "inside" vlan. The PIX devices should therefore only need 1 inside interface. A host connected to switch 1 could talk to the inside interface of PIX 1 or it could traverse the trunk and talk to the inside interface of PIX 2 that is connected to switch 2.

Reply to
Kevin Widner

Many thanks,

I think I can see my way now .. I'll get redundancy for the inside LAN this way, but not for the outside switch .. which, as I've only got one Co-Lo port anyway .. is about as good as I can get.

Now to look up the switch commands .. ;)

Thanks again.

Danny

Reply to
Danny

Out of interest .. am I actually gaining any redundancy here? If my LAN switch fails, it's ok, I've got the LAN extended onto the spare ports on the switch I use (normally) for "outside" the PIX's .. but I'm still totally reliant on _that_ switch not going .. I may aswell just wire everything up to that one .. with the VLAN's as describe (inside and outside).

Ultimately it boils down to having only a single IP port in the CoLo .. I can only connect that to _one_ device .. and so I'm not really going to gain anything from multiple switches.

Is that right?

Regards,

Danny

Reply to
Danny

Correct. But keep in mind that in a properly designed and managed network, your primary risk factor IS human error. There have also been reports of problems with traffic leaking between VLANs on older switches which may or may not affect you. You would probably find it cheaper and easier to buy more switches rather than futzing with VLANs. I have a client who saved money putting two different untrusted VLANs on the same switches and every few months log analysis reports packets showing up on the wrong VLAN and getting caught by access lists in the routers and firewalls.

A bigger challenge will be providing redundancy on your colo up link. That will be tricky to do in a way which improves rather than degrades availability, particularly if you don't want to degrade security. There is no way to plug a single uplink cable into two switches, so you are going to need your provider's cooperation if you are going to do anything meaningful about eliminating a single point of failure. Even then, you need to get into how you colo is designed to ensure that you don't just move the weak point from your switch to their switch.

Good luck and have fun!

Reply to
Vincent C Jones

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.