asked on cisco HSRP loadbalancing topolgy
My recommended topology sceanrio as follows :
Internet
|
|
Internet Router
|
Fortigate Firewall
|
Access - sw
/ \
Core-sw-1--------- core-sw-2
/ \
Dist-sw-1 ----------- Dist-sw-2
/ \ / \
Access-1 Access-2 Access-1 Access-2
| | | |
VLAN10 VLAN 20 Vlan 30 VLAN 40
I hope , the above topogy is undersandble and giving short note on the above scenario
1) In this project we are using one cisco 1900 series router as internet router
2) Fortigate firewall is a Internet firewall
3) Two core-sw as 4506 series and two 3750-X as distribution and 2960S switches as access
4) There is a cross connectivity between distribution -1 to core-sw2 and distribution-2 to
Core-sw-1 ( Not shown in Above diagram)
There is connectivity between distribution switches ( shown in diagram)
5) Each access-sw is in each vlan and connected to distribution , end devices are connected to access-switches
Requirements :
1) HSRP configuration including Loadbalancing for each VLAN means some vlans
Core-sw-1 is active and core-sw-2 is standby and viceversa
2) If we go to HSRP-Loadbalancing , How to configure VTP , can we configure two core-switches as server mode then how it works if core-switch-1 fails how the vlan database reflects in other core-switch-2
3) How to configure STP , can we configure Core-Sw-1 as a Root bridge for some vlans and
Core-Sw-2 as root bridge for a remaining vlans , How core-sw-2 will become a Root bridge for the vlans are through Core-sw-1 , if core-sw-1 gets down
4) How the redundancy will be happen , if one core-sw-1 goes down how the repspective vlans traffice will turn through Core-sw-2
5) How the VTP database will be reflected in Core-sw-2 if Core-Sw-1 gets down
6) will do intervlan in Distribution switches , is it ok? , can we make distribution , access switches as a client mode in VTP configuration , i think it wont give any issues , so that
VLANs configure in Core-Switches will be reflcted in each distribution / access-switches
Pls provide a solution for the above and suggest your comments
Regards
Ramu
Internet
|
|
Internet Router
|
Fortigate Firewall
|
Access - sw
/ \
Core-sw-1--------- core-sw-2
/ \
Dist-sw-1 ----------- Dist-sw-2
/ \ / \
Access-1 Access-2 Access-1 Access-2
| | | |
VLAN10 VLAN 20 Vlan 30 VLAN 40
I hope , the above topogy is undersandble and giving short note on the above scenario
1) In this project we are using one cisco 1900 series router as internet router
2) Fortigate firewall is a Internet firewall
3) Two core-sw as 4506 series and two 3750-X as distribution and 2960S switches as access
4) There is a cross connectivity between distribution -1 to core-sw2 and distribution-2 to
Core-sw-1 ( Not shown in Above diagram)
There is connectivity between distribution switches ( shown in diagram)
5) Each access-sw is in each vlan and connected to distribution , end devices are connected to access-switches
Requirements :
1) HSRP configuration including Loadbalancing for each VLAN means some vlans
Core-sw-1 is active and core-sw-2 is standby and viceversa
2) If we go to HSRP-Loadbalancing , How to configure VTP , can we configure two core-switches as server mode then how it works if core-switch-1 fails how the vlan database reflects in other core-switch-2
3) How to configure STP , can we configure Core-Sw-1 as a Root bridge for some vlans and
Core-Sw-2 as root bridge for a remaining vlans , How core-sw-2 will become a Root bridge for the vlans are through Core-sw-1 , if core-sw-1 gets down
4) How the redundancy will be happen , if one core-sw-1 goes down how the repspective vlans traffice will turn through Core-sw-2
5) How the VTP database will be reflected in Core-sw-2 if Core-Sw-1 gets down
6) will do intervlan in Distribution switches , is it ok? , can we make distribution , access switches as a client mode in VTP configuration , i think it wont give any issues , so that
VLANs configure in Core-Switches will be reflcted in each distribution / access-switches
Pls provide a solution for the above and suggest your comments
Regards
Ramu
Switches / HubsNetwork ArchitectureNetwork Operations
Last Comment
RAMU CH
Regarding vlan configuration: Both core switches have all vlans. Set up the spanning tree root to the same switch as your HSRP active. Acces switches only get the vlans they need. Configure trunk ports so that they only carry the vlans required. All of this makes spanning tree simpler. Also set up Rapid spanning tree on all devices, it fasils over much faster.
One thing to mention: the setting of the root bridge on the same switch as the HSRP active switch can lead to flooding situations on the secondary core switch when the return traffic from the firewall is sent towards that switch. For this reason I recommend to set HSRP primary and STP root bridge on different switches.
But one question about the design: If all VLAN are present up to the core why not having the L3 termination in the firewall? This does not add much more complexity and HSRP would not be needed. You then only have STP (or hopefully RSTP) for redundancy purposes.
I agree on VTP: use transparent, then you know what you do and an eventual hardware replacement is easily done. I also agree on the question about the distribution layer. There is no obvious need for it in your environment unless you have geographical/cabling issues that lead to your solution.
But one question about the design: If all VLAN are present up to the core why not having the L3 termination in the firewall? This does not add much more complexity and HSRP would not be needed. You then only have STP (or hopefully RSTP) for redundancy purposes.
I agree on VTP: use transparent, then you know what you do and an eventual hardware replacement is easily done. I also agree on the question about the distribution layer. There is no obvious need for it in your environment unless you have geographical/cabling issues that lead to your solution.
ASKER
will you provide a sample refference configuration of HSRP VLAN loadbalancing configuration
in a Three-tier netwrok archietecture model like my proposed model
I am also searching in google site but just for getting worked out of the above topolgy
Regards
Ram
in a Three-tier netwrok archietecture model like my proposed model
I am also searching in google site but just for getting worked out of the above topolgy
Regards
Ram
mat1458: " If all VLAN are present up to the core why not having the L3 termination in the firewall?" Because if the firewall fails then internal routing also fails rather than just internet access.
ramkanirka:
switch 1
interface vlan 10
ip address 10.1.1.2 255.255.255.0
standby ip 10.1.1.1
standby priority 110
standby preempt (this tells the primary to take over again when it can)
standby timers 2 6 (this shortens the timers significantly for faster failover)
standby track 1 decrement 11
interface vlan 20
ip address 10.2.2.2 255.255.255.0
standby ip 10.2.2.1
standby priority 100
standby timers 2 6
switch 2
interface vlan 10
ip address 10.1.1.3 255.255.255.0
standby ip 10.1.1.1
standby priority 100
standby timers 2 6
interface vlan 20
ip address 10.2.2.3 255.255.255.0
standby ip 10.2.2.1
standby priority 110
standby preempt
standby timers 2 6
standby track 1 decrement 11
ramkanirka:
switch 1
interface vlan 10
ip address 10.1.1.2 255.255.255.0
standby ip 10.1.1.1
standby priority 110
standby preempt (this tells the primary to take over again when it can)
standby timers 2 6 (this shortens the timers significantly for faster failover)
standby track 1 decrement 11
interface vlan 20
ip address 10.2.2.2 255.255.255.0
standby ip 10.2.2.1
standby priority 100
standby timers 2 6
switch 2
interface vlan 10
ip address 10.1.1.3 255.255.255.0
standby ip 10.1.1.1
standby priority 100
standby timers 2 6
interface vlan 20
ip address 10.2.2.3 255.255.255.0
standby ip 10.2.2.1
standby priority 110
standby preempt
standby timers 2 6
standby track 1 decrement 11
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
see the attached fig:
a) what is configuraiton at r9 , can we make a separate vlan for this and make active core swtich as active and stanby core switch as backup for the vlan in switch r9
b) what is the configuraion at host 3 ( rotuer) , what default gateway should i point menas is it a router 10 inside ip or virtual ip address of the vlan of active/standby
c) if host3 default--gateway is r10 inside ip address then how host 1 (van 10 pc ) and host 2 (vlan 20) communicates with host3
regards
ramu
HSRP-Topology.png
a) what is configuraiton at r9 , can we make a separate vlan for this and make active core swtich as active and stanby core switch as backup for the vlan in switch r9
b) what is the configuraion at host 3 ( rotuer) , what default gateway should i point menas is it a router 10 inside ip or virtual ip address of the vlan of active/standby
c) if host3 default--gateway is r10 inside ip address then how host 1 (van 10 pc ) and host 2 (vlan 20) communicates with host3
regards
ramu
HSRP-Topology.png
a) Is R9 a basic Layer 2 switch or a Layer 3 switch? And is R10 the Fortigate firewall you mentioned at the beginning, or something else? What is the purpose of host 3? Is it supposed to be a DMZ host that is accessible from the internet? All of these questions need to be answered before I can give you an answer to this question.
b) Same questions as above
c) R10 and the core switches have to have correct routing configured for it to work. This is one of the reasons the questions I asked in (a) are important.
b) Same questions as above
c) R10 and the core switches have to have correct routing configured for it to work. This is one of the reasons the questions I asked in (a) are important.
ASKER
Thanks
2. Normally in a heirarchical model, the distribution switches are Layer 3. In your case, it sounds like they are Layer 2 only. I would eliminate the distribution switches and dual-home all of the access switches if you can. Having them only adds complexity and a lot of loops that STP has to resolve (also if you're using VTP, every vlan is on every switch and since you have a separate spanning tree for each VLAN, the problem is multiplied).
3. With the access switches dual-homed to the core switches, everything becomes much, much simpler. Configure all vlans on both core switches. If you want to load-balance your HSRP, that's fine and very commonly done. However, I would use standby tracking and track the interface that connects toward the internet. That way if the link to the internet goes down on one switch, HSRP will switch over to the good core switch.