1. Home
  2. Cisco Systems
  3. handling hsrp connections from isp

handling hsrp connections from isp

Hi,

I'm setting up a new colocation cabinet, and am trying to implement a redundant network architecture. If you wouldn't mind taking a look to see if I'm on the right track:

(1) 2 fast ethernet connections from ISP, each connected to a separate router, with HSRP failover configured between them. (This is a multihomed mix of several upstream providers.) (2) An unmanaged fast ethernet switch for the two ISP connections, and one connection to each of the firewalls. (3) Two Cisco ASA 5510 firewalls, with a direct failover link (crossover cable) between them, connected to the front-end switch on the outside interfaces, and to internal switches on the internal interfaces. Each inside interface is connected to one of the internal switches. (4) Two HP Procurve 2824 switches. Each one is connected to exactly one of the firewalls. They also have an 802.1Q trunk connection between them. I'll configure several VLANs to connect to these switches. The switches run STP to eliminate loops. (5) About 12 servers, each with redundant NICs. Each NIC is connected to one of the Procurve switches.

Failure modes:

-- Server NIC or single port on the Procurve fails: STP on the Procurves recalculates the tree and the other connection takes over.

-- One of the Procurves fails: The connected firewall will detect a failure and failover to the backup unit. The other Procurve will use STP to recalculate the tree and the servers will remain connected via their secondary NICs.

-- One of the firewalls fails: Failover will be initiated and the backup firewall will take over. STP will recalculate the tree and traffic can still flow through the backup firewall.

-- The front-end switch fails: I'm hosed. This is the piece I need help with. Is it possible to introduce redundancy here? What is the proper way to aggregate these two connections given that only one of them is active at any given time?

-- One of the ISPs routers fails: HSRP will kick in and I'll retain connectivity through the second drop.

Networking is not my specialty, so I'd appreciate your guidance / feedback.

Thanks, Matt

Reply to
molson8472
Loading thread data ...

Because you only have unmanaged switches for your ISP and Firewall connections, that is definitely a single point of failure. For true redundancy here, you need each router (to your ISP) dual homed to a pair of switches, which then go to the firewalls, which then go back to your internal core of your network (again at least a pair, and servers will be dual homed to both). Also, are you seeking load balancing when everything is working, or this does not matter at this time? If that is the case, you'll need to think through load balancing options (at least for traffic going external). Load Balancing traffic back in is a whole different game as it requires working closely with both providers, but for external, you can run dynamic routing protocols, have matching static routes, but your firewalls may introduce additional complexity depending on how they are being used.

Also, yes HSRP will work for outgoing traffic, but you want to make sure that both providers or connections are both advertising your external IP ranges into BGP, or a downed internet router may still result in an outage (traffic can get out, but not back in).

Reply to
Trendkill

I've got two connections to the same ISP (connected to two of their routers), with HSRP running on their routers. And yes, they are advertising my IPs with BGP further out into the core.

Load balancing across connections is not a concern here -- I am just looking for redundancy and no single points of failure.

I think that with the combination of the ASA failover mechanism, STP on the interior switches, and dual homing of the servers to separate switches, I have full redundancy and automatic failover for the firewalls and everything inside the firewalls.

But the question is dealing with the two HSRP connections from the ISP. If I put two switches outside the firewalls, and connect each of the ISP connections to one, and connect them to each other, I think I'd be OK. In the case of one of the outside switches failing, the ISP routers should detect the failure because they will no longer be able to send HSRP messages on the local segment, triggering an HSRP failover. At the same time, my primary firewall should detect a failure and failover to the secondary firewall since it will be connected to the second ISP connection. Does that sound right?

I've posted a diagram just to be as clear as possible. Please poke as many holes as you can in this setup and let me know if I'm on the right track for full redundancy and no single points of failure (aside from my upstream ISP). I'd like to find out now before buying a bunch of equipment. :)

formatting link
Thanks, Matt

Reply to
molson8472

You mentioned:

So if the ISP has 2 routers, and they simply plug into your switches, then I don't see a technical reason that you need to run STP. I don't see a loop formed in any case. So, unmanaged switches should work. On the other hand, managed switches are probably important to you, if you want to poll these switches via an NMS system to detect failures, etc. So if 1 switch dies, and you don't know about it, you now have a single point of failure!

STP is required for each VLAN on your internal switches. I'd set the stp root to be the left hand switches (as well as HSRP active).

-Dan

formatting link

Reply to
dman1973

Your explanation is good... as far as it goes. Here are some general holes you have not covered:

Effective redundancy requires three things: the ability to detect failure, the ability to do something to get around detected failures, and enough diversity so that whatever causes the first failure does not also cause the alternate mode to fail (think cables in a bundle or common power source).

IP communications requires the redundancy to work bidirectionally. That is, not only do you need to properly reroute outbound packets, but also the responses to those packets. HSRP only handles getting packets from your firewall to your ISP, and not necessarily even that much. Are there any switches between your switches and the ISP's routers? How does the ISP detect failure of a link between one of its routers and your switch (not just for HSRP but also for sending traffic to you). Hint--do not assume that link problems with cause the Ethernet interface to go down...that only happens most of the time.

Maintaining high availability also requires continuous vigilance (network monitoring and management). It does not help you long term if you have no mechanism to detect that you have failed over and are running on backup. You will need to determine just how much availability you really need and how much you are willing to pay for if you can get it. If all you want is a pretty picture to impress clients, you're done. If you really care about high availability, you've only just begun to scratch the surface.

Good luck and have fun!

Reply to
Vincent C Jones

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.