Hi Rene,
I’m trying to design a campus LAN network where L3 functions will be moved to a DC Firewall (Fortigate). However, I’m confused about how to design this with Cisco Core 6800(collapsed core-vss) with Fortigate as DC firewall in A-P. What would be the right way to cable this scenario?
Hello Midhul
Based on your description, your collapsed core approach would look something like this::
[Fortigate FW] -Core/Distribution
/ \
[6800 VSS pair] -Access
/ / \ \
[host] [host] [host] [host]
Let me make some assumptions. You mention “A-P” which I assume you mean Active/Passive mode or some form of high availability, right? I’m assuming the Fortigate firewall will consist of at least two entities (appliances or virtual) that will operate in active/passive mode. Also moving L3 to the FWs means that you are making your pair of 6800s function only as layer 2 devices.
Remember, the pair of 6800s using VSS operate virtually as a single switch.
With these assumptions, let me suggest the following guidelines:
- Make one physical connection between each FW and each 6800 chassis. This will ensure redundancy across the physical hardware of the 6800s as well as the links to both physical devices.
- The connections from each FW to each physical 6800 should be configured as trunk links. On the FW side, you should configure “router on a stick”.
- Make sure that all of the VLANs in your network are included and represented in the configuration of the subinterfaces of the FW and of the trunk configuration on the 6800 side.
Now how to achieve the required high availability from the Active/Passive configuration you will make on the Fortigate FWs will depend upon the configuration and the setup of those devices.
Just a comment here, what is the reason you want the FW to perform routing? This setup essentially uses the 6800s as access switches, which is kind of a shame because of their capabilities and robustness. I would consider routing by the 6800 VSSes to be much more robust and reliable. If there is a way to keep routing at the 6800s, I would go for it. Just a thought.
I hope this has been helpful!
Laz
Hello, I’m looking the way I can design a high level Network architecture, what component should I add to achieve Availability, if anyone has any kindly share with me.
Hello @nyadeos ,
That is a broad question. There are many things that influence high availability.
Here are some things to consider:
-
Redundant hardware: having more than one router/switch/firewall where appropriate. Some devices have redundant power supplies and supervisors.
-
Failover/protocols: There are many protocols that help with failover and redundancy. To give you two examples for routing: HSRP or VRRP.
-
Backup power: UPS, etc.
-
Network monitoring
-
Disaster recovery plan
These are some high-level things to think about. It depends on your network and how critical it is.
Rene
@ReneMolenaar yes it is broad question but specifically I was having assignment to design a network architecture with high availability is in that regard I was looking one of them
Hello Deo
As Rene suggested, high availability can be deployed with multiple technologies depending upon what you want to achieve. Here are some thoughts that might help you out:
- High availability can be achieved using two or more devices to perform a task.
- Setting up two ASAs for example in high availability mode, or two servers mirroring each other.
- Configuring switches in various high availability arrangements like StackWIse, vPC, and VSS.
- Applying First Hop Redundancy Protocols (FHRPs) like HSRP, VRRP, and GLBP to enable multiple devices to act as default gateways.
- High availability can also be achieved using technologies that use multiple physical links like EtherChannel.
- Routing can be configured to introduce Equal Cost MultiPath (ECMP) Routing delivering high availability and resistance to the network.
- High availability can also be achieved by implementing the appropriate power supplies, making sure that you have redundant power supplies per device, and UPS systems delivering power to your network devices.
- High availability can also be delivered by designing your network with duplicate data centers, where if one data center fails, the other will take over fully. This is a higher-level design aspect, and assumes that your organization has multiple sites.
- Network design delivers high availability by using either a spine and leaf architecture, which is inherently redundant, or a 3 tier campus network design as shown in this lesson.
These are just some of the areas in which high availability can be implemented into network design. If you would like us to expand on any particular area, let us know…
I hope this has been helpful!
Laz
Hi everyone! I have a question regarding the topology used in the lesson.
As far as I am aware of, Cisco‘s recommendation is as follows:
- One VLAN spanning both access switches = Use L2 between the distribution switches. STP would avoid a loop, FHRP communication can be sent/received on the L2 link between the distribution switches.
- One VLAN confining to each access switch = Use L3 between both distribution switches. No STP needed, FHRP communication would go through the access switches.
Is there a reason for why not also using a L3 link between the distribution switches in scenario 1)?
Hello Marcel
Yes this is correct.
Yes there is. If you want to span a single VLAN across two access switches, then you must achieve Layer 2 connectivity between those switches.
Remember, you would typically have one IP subnet assigned to each VLAN. So if you have VLAN 10 on both access switches, and you have two hosts, one on each access switch with IP addresses 192.168.10.10/24 and 192.168.10.11/24, then these hosts must communicate with each other on Layer 2. In other words, those two devices must be on the same broadcast domain. If you have configured Layer 3 connectivity between the access switches and the distribution switch, then you are splitting up that broadcast domain, and you are requiring routing to take place between them. But they’re on the same subnet! So you see, from a design standpoint, this won’t work.
The VLAN assignments, IP address subnets, and the access and distribution network design must line up so that layer 2 connectivity is available between all devices that exist on the same subnet/VLAN/network segment. Does that make sense?
I hope this has been helpful!
Laz