Eliminate SPOF using HSRP and ASA Failover

[espo5166]

Hello all - new member here!

Was hoping for some advice -

I am attempting to eliminate the 2950 switch as our SPOF in out internet setup. PLease see the attached image.

Any ideas?

 

[espo5166]

Added note:

HSRP running on the internet interface of the 2600

ASA's in a failover setup,

Thanks,

JIM

 

[espo5166]

BUMP

Please any one with some ideas???

 

[jneiberger]

You might want to add another switch configured identically and then add fault-tolerant transceivers so that the firewalls and routers have connections to both switches. If one switch goes down, the fault-tolerant transceivers immediately switch to the alternate connection. It takes a bit of planning, but something like that might be what you're after.

 

[espo5166]

install "fault-tolerant tramsceivers" in which device?

 

[jneiberger]

They're not something you install into something else. They are standalone devices that allow you to connect one device, often a server, to two network devices for fault tolerance. If the transceiver detects that one of the upstream network devices has failed, it immediately fails over to the other link.

Here's an example:

http://www.milan.com/TransitionNetworks/Products2/Family.aspx?Name=MIL-FT240TX

 

[zinkann]

seems like you could just make a loop and run stp, the cheap and easy way. if i the active link fails, stp unblocks the other port.

CCNA, Network+

 

[zinkann]

that transceiver is just another point of failure

CCNA, Network+

 

[jneiberger]

The benefit of the transceiver is that it is far less complicated and less prone to failure than the switch. You would then be able to connect the firewalls and routers to two different switches simultaneously. If one of the switches dies, all of those links fail over to the other switch in microseconds.

I've seen this design in some very important high-availability networks and then later used it myself when I needed to accomplish the same thing. It works very well if designed properly.

And believe me, the MTBF for those transceivers is *much* greater than for the switches.

 

[espo5166]

Hey Basshead - can you elaborate on your suggestion?

 

[jneiberger]

Espo5166,

Your problem is that you need to be able to eliminate the switch as a single point of failure, yet you still must have a switch in that spot in that topology. That means you pretty much *have* to use fault-tolerant transceivers in order to connect the other devices to two switches at the same time. It's pretty simple, it's rock solid, and it's extremely fast. We're talking microseconds.

I had the exact problem you're facing once and the design was almost identical to yours. There aren't too many ways to solve that particular problem. I've used this type of design on a connection that was responsible for handling millions of dollars worth of financial data. You don't want a low- to mid-range switch to be your single point of failure for an important application.

 

[brianinms]

Replace the routers, switch and firewalls, with a 6506 with dual sups, dual fwsm , and a services module.

 

[jneiberger]

That's a great idea if you've got the budget, but that is a *very* expensive option. I was assuming that they didn't have the budget for a forklift upgrade and complete overhaul of their design.

You also run the risk of a chassis failure. Not a common occurrence, but I've had it happen a couple of times in the past. That was mostly with the 7500 series routers, though, not the 6500 series stuff. I've worked with several 6500 series switches and never had a chassis failure yet.

 

[brianinms]

I agree it is very costly. When you look at designing a solution you definitely have to consider the budget.