Question

Locked

Designing fully redundant secure DMZ question

By paul.duffany ·
Hi,
I am tasked with designing an active/standby ASA environment.
For the security appliances and the Dirty DMZ configuration I have what I believe to be a good design, however, for the secure DMZ I have challenges.

For instance, in a single DMZ connected to the active/standby appliances, how can I make that DMZ redundant. Cisco docs show two switches that are trunked together and connected to their respective firewalls, the servers are dual homed with a connection to each DMZ switch.
However, if the switch connected to the active firewall fails, I see no way for the Servers in the DMZ to remain in service.

What is the solution for a fully redundant DMZ?

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

I could be wrong but

by robo_dev In reply to Designing fully redundant ...

If the primary router/firewall loses it's internal interface (like if switch failed), then it should failover to the secondary router/firewall, which should have a valid internal interface route/connection. Failover should be triggered by failure of either the external or internal interfaces.

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml

Collapse -

It's been a LOOONG while since I was involved in something like this, but

by Deadly Ernest In reply to Designing fully redundant ...

when I did it required four routers / switches, two in parallel at each end of the DMZ with a unit monitoring each end and ready to switch between them if something went wrong, and everything was duplicated within the zone but on two separate comms lines - one from each of the front end router / switches to the back end router / switches. The monitoring units checked that both sides were regularly updated as well. They probably do it all different now days with special devices that do half of it for you. But I'm sure the basics are the same, design a dmz and duplicate. I have seen some where they only had one router / switch at each end.

Collapse -

Thank you for the assist

by paul.duffany In reply to Designing fully redundant ...

I will lab the environment and let you know if the failure of the dmz switch connected to the primary switch invokes failover to the standby unit.

Thanks again,
Paul

Collapse -

RIPv2/EIGRP/OSPF and multiple routes

by CG IT In reply to Designing fully redundant ...

if an interface goes down, then the router will update their routing tables and then notify all neighbor routers of the failed interface. As long as there is another route to the same destination, all routers will use the new route. Thus you have redundancy. [mesh topology] STP on switches ensures there's no loops in the network, so when the interface goes down, the switches are also aware and the redundant link that STP blocked, becomes unblocked. Note: convergence is going to make down time a tad long for users but ....

Collapse -

I have labbed the environment

by paul.duffany In reply to Designing fully redundant ...

I found that the PIX does "watch" the DMZ interfaces and failover correctly when a DMZ switch goes down, providing thorough failover for this environment.

Thank you for your assistance,
Paul

Collapse -

Answer below:

by paul.duffany In reply to Designing fully redundant ...

I found that the PIX does "watch" the DMZ interfaces and failover correctly when a DMZ switch goes down, providing thorough failover for this environment.

Thank you for your assistance,
Paul

Collapse -

Reponse To Answer

by chichoo85 In reply to Answer below:

Hello Paul,

I also want to carry out the same setup as what you have done, i will appreciate if you can put me through in achieving redundancy for the two dmz switches>Two ASA firewalls primary connected to one dmz switch the standy to the other swicth both switch have trunks links.Please assist. the goal is to achieve seamless failover should incase the any of the firewalls go down. thank you

Collapse -

AS DMZ failover

by -gargravarr- In reply to Designing fully redundant ...

What about a pair of stacked 3750's (other stackable switches are available) same Interface on each ASA interface into alternative switch.
Failover clustering must be enabled on the ASA. "sh ver"
Failover : Active/Active perpetual
Both ASA's need to be running the same version of code.
vlan for outside (untagged no ip address)
vlan for inside (untagged no ip address)
vlan for DMZ (untagged no ip address)
vlan for management
you can specify which interfaces are "monitored" for failover with
"no monitor-interface" interface name, in the example "Unused"
This host: primary - Active
Interface DMZ : Normal (Monitored)
Interface Unused: No Link (Not Monitored)
Interface management : Normal (Monitored)

Back to Networks Forum
9 total posts (Page 1 of 1)  

Hardware Forums