Setup New Network
Hello,
I am trying to setup new network. I suggested the network below. Any suggestion for best design will be appreciated.
1- Do I need to use two switches that is come before the firewall for high availability?
2- Do I need to setup VSS between two switches for the NGF?
3- Do I need to setup VSS between two switches for the ports that is go out from core switches and come in to distribution switches?
3- Do I need to remove the link between the two NGF?
Any document that can help me to setup the NGF cluster ( I read this article https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-cluster-solution.html#concept_410590E05DD5495E8F47C525AD905D43)
Thanks
I am trying to setup new network. I suggested the network below. Any suggestion for best design will be appreciated.
1- Do I need to use two switches that is come before the firewall for high availability?
2- Do I need to setup VSS between two switches for the NGF?
3- Do I need to setup VSS between two switches for the ports that is go out from core switches and come in to distribution switches?
3- Do I need to remove the link between the two NGF?
Any document that can help me to setup the NGF cluster ( I read this article https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-cluster-solution.html#concept_410590E05DD5495E8F47C525AD905D43)
Thanks
ASKER
Thank you for your reply.
Actually, I just gave a simple diagram. I have 8 distribution switches each one is in different floor.
I will not need to stack distribution switches. However, I need to have VSS at core switches. I need to have High Availability at NGF.
I need each distribution switch to have two fiber cable one from each core switch.
Any suggestion for better design?
Thanks
Actually, I just gave a simple diagram. I have 8 distribution switches each one is in different floor.
I will not need to stack distribution switches. However, I need to have VSS at core switches. I need to have High Availability at NGF.
I need each distribution switch to have two fiber cable one from each core switch.
Any suggestion for better design?
Thanks
VSS is a switch binding technology. As such, it won't run on the firewalls. To get high availability there you will use VRRP or something similar.
On the 4500's, again, you can run VSS here to make them present as one single switch but I generally don't recommend this unless you have a compelling reason for it to be built this way. As of right now, I don't see a reason to in your proposal.
On the 4500's, again, you can run VSS here to make them present as one single switch but I generally don't recommend this unless you have a compelling reason for it to be built this way. As of right now, I don't see a reason to in your proposal.
ASKER
Thank you for your reply,
I need the high availability at NGF and switches. You mean I have to run Virtual Router Redundancy Protocol at Core switch ? What is the best scenario to get high availability at NGF and core switches
Thanks
I need the high availability at NGF and switches. You mean I have to run Virtual Router Redundancy Protocol at Core switch ? What is the best scenario to get high availability at NGF and core switches
Thanks
No, VRRP will run between the firewalls.
The switches are in a pair. If you place trunks between the switches, they will meet the requirement for HA. Some type of gateway redundancy would be used between them on any SVI's. That could be HSRP, VRRP, GBLP - whichever works best for your scenario. VSS is not recommended unless you have a compelling reason to use (i.e. you have servers that need to terminate a port channel on the 4500s with 50% of each port channel on each switch). If you don't need to do something like this, then don't bother with VSS and just go with the HSRP.
The switches are in a pair. If you place trunks between the switches, they will meet the requirement for HA. Some type of gateway redundancy would be used between them on any SVI's. That could be HSRP, VRRP, GBLP - whichever works best for your scenario. VSS is not recommended unless you have a compelling reason to use (i.e. you have servers that need to terminate a port channel on the 4500s with 50% of each port channel on each switch). If you don't need to do something like this, then don't bother with VSS and just go with the HSRP.
I'd run VSS on 4500 as Atlas stated. Run the NGF as a cluster with a spanned port channel to touching each 4500.
ASKER
Hi,
OK, Then need to have port channel (VRRP) to connect NGF with core switches and VSS for HA of switches. Yes, I do have servers. Any suggestion?
OK, Then need to have port channel (VRRP) to connect NGF with core switches and VSS for HA of switches. Yes, I do have servers. Any suggestion?
No VRRP for NGF. They will be clustered to act as one device. Logically, it will look like one firewall connected to one core switch with VSS.
ASKER
Thank you for your reply,
Then I will have cluster of NFG and cluster of core switches and I will have (Physical) one fiber connection from each core switch to connect to distribution switches. (i.e each distribution switch will have physically two fiber connection one from each switch). Am I correct?
Each NGF will have three physical connections (one to two core switches and one between them as heat beat). Am I correct?
Thanks
Then I will have cluster of NFG and cluster of core switches and I will have (Physical) one fiber connection from each core switch to connect to distribution switches. (i.e each distribution switch will have physically two fiber connection one from each switch). Am I correct?
Each NGF will have three physical connections (one to two core switches and one between them as heat beat). Am I correct?
Thanks
Yes, that is in the right direction. I would do a port channel of at least two fiber to each distribution switch. I'd also make them Layer 3 port channels to collapse your spanning tree south of your distribution layer. Layer 3 north of it. If you aren't physically able to run multiple fiber to each distribution as described then go with your initial setup of a single fiber to each.
ASKER
Thanks,
Then lets say port 1 of core switch 1 will be connected to port 1 of distribution switch and port 1 of core switch 2 will be connected to port 2 of distribution switch. All these ports will be in the same port channel. Am I correct? by this way if core switch 1 fail then the data will pass through core switch 2. Am I correct?
Thanks
Then lets say port 1 of core switch 1 will be connected to port 1 of distribution switch and port 1 of core switch 2 will be connected to port 2 of distribution switch. All these ports will be in the same port channel. Am I correct? by this way if core switch 1 fail then the data will pass through core switch 2. Am I correct?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can run VSS between the 4500's if you need to be able to dual home port-channels. If you don't need to do this and don't see it being a need in the future, then leave them standalone and trunk between.
Set the 4500s as your STP root and secondary.
Firewalls are terminated one into each 4500. Primary firewall into STP root.
There is no such thing as VSS between firewalls however, you may need this link for heartbeat.