My network is represented in the attached diagram. The left side is how the network currently looks. The right side is the equipment I am going to add to make this network more redundant incase of hardware failure. At the moment there will be only one ISP connection thats why you only see one Cisco 3640, but everything below that, I want to make redundant. I'm not sure where to use HSRP and where to use static routes with different metrics. I know for the ASA's I will have an Active/Standy failover configuration. The 2821 routers handle all my site-to-site VPN's so I'm thinking I would run HSRP between those? I'm not to sure the best way to make the switches redundant. Right now all my different subnet switches come off the Cisco 3550 core switch. I was thinking about adding a second ip route to the subnet switches telling traffic to go to the second core switch if the first one fails. Just want some advice on what someone else thinks on this network design. Thanks.
Network Diagram
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Thanks. I would like to load balance the Cisco 2821 routers(VPN Concentrators), but I'm not sure how I would cable this so if the ASA failed over, the concentrators would still be working. As you can see on my DMZ switches I have two VLANs. One VLAN is configured with a public address and the other with a private address. I need to make sure that all VPN's configured on the 2821 remain up if a failover occurs. Any suggestions?
This might be a major redesign for you, but this is how I might do it.
Since the 5505 has 8 ports, you can setup "inside" and "DMZ" VLANs, and then connect each switch to each ASA.
Take a look.
Sample Network Diagram
Business Accounts
Answer for Membership
by: bornskirPosted on 2009-08-11 at 12:31:52ID: 25072471
You're going to want to implement HSRP on whatever device(s) act as your default gateway internally. If that is your firewalls, then you would just need to implement active/standby.
You can't really make a switch redundant unless you multi-home your servers (or whatever is connecting to those switches).
You can also load balance/cluster your VPN Concentrators rather than have them as "active/standby".
As for redundant connections, you basically want to have a mesh network. So you would have each switch connect to each firewall as well as a connection between the two switches (you can even have multiple connections between switches and etherchannel them or just let STP disable one port unless it's needed).
I hope that makes sense.