TechRepublic|Forums|Networks

Networks

Question

  • Creator
    Topic
  • June 21, 2012 at 4:19 pm #2138303

    Designing fully redundant secure DMZ question

    Locked

    by paul.duffany · about 11 years, 10 months ago

    Hi,
    I am tasked with designing an active/standby ASA environment.
    For the security appliances and the Dirty DMZ configuration I have what I believe to be a good design, however, for the secure DMZ I have challenges.

    For instance, in a single DMZ connected to the active/standby appliances, how can I make that DMZ redundant. Cisco docs show two switches that are trunked together and connected to their respective firewalls, the servers are dual homed with a connection to each DMZ switch.
    However, if the switch connected to the active firewall fails, I see no way for the Servers in the DMZ to remain in service.

    What is the solution for a fully redundant DMZ?

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Answers

  • Author
    Replies
    • June 21, 2012 at 4:19 pm #2436203

      Clarifications

      by paul.duffany · about 11 years, 10 months ago

      In reply to Designing fully redundant secure DMZ question

      Clarifications

    • June 22, 2012 at 9:58 am #2436154

      I could be wrong but

      by robo_dev · about 11 years, 10 months ago

      In reply to Designing fully redundant secure DMZ question

      If the primary router/firewall loses it’s internal interface (like if switch failed), then it should failover to the secondary router/firewall, which should have a valid internal interface route/connection. Failover should be triggered by failure of either the external or internal interfaces.

      http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml

    • June 22, 2012 at 10:07 am #2436153

      It’s been a LOOONG while since I was involved in something like this, but

      by deadly ernest · about 11 years, 10 months ago

      In reply to Designing fully redundant secure DMZ question

      when I did it required four routers / switches, two in parallel at each end of the DMZ with a unit monitoring each end and ready to switch between them if something went wrong, and everything was duplicated within the zone but on two separate comms lines – one from each of the front end router / switches to the back end router / switches. The monitoring units checked that both sides were regularly updated as well. They probably do it all different now days with special devices that do half of it for you. But I’m sure the basics are the same, design a dmz and duplicate. I have seen some where they only had one router / switch at each end.

    • June 22, 2012 at 1:36 pm #2436135

      Thank you for the assist

      by paul.duffany · about 11 years, 10 months ago

      In reply to Designing fully redundant secure DMZ question

      I will lab the environment and let you know if the failure of the dmz switch connected to the primary switch invokes failover to the standby unit.

      Thanks again,
      Paul

    • June 24, 2012 at 7:00 am #2437465

      RIPv2/EIGRP/OSPF and multiple routes

      by cg it · about 11 years, 10 months ago

      In reply to Designing fully redundant secure DMZ question

      if an interface goes down, then the router[s] will update their routing tables and then notify all neighbor routers of the failed interface. As long as there is another route to the same destination, all routers will use the new route. Thus you have redundancy. [mesh topology] STP on switches ensures there’s no loops in the network, so when the interface goes down, the switches are also aware and the redundant link that STP blocked, becomes unblocked. Note: convergence is going to make down time a tad long for users but ….

    • July 16, 2012 at 1:22 pm #2436727

      I have labbed the environment

      by paul.duffany · about 11 years, 9 months ago

      In reply to Designing fully redundant secure DMZ question

      I found that the PIX does “watch” the DMZ interfaces and failover correctly when a DMZ switch goes down, providing thorough failover for this environment.

      Thank you for your assistance,
      Paul

    • July 16, 2012 at 1:22 pm #2436726

      Answer below:

      by paul.duffany · about 11 years, 9 months ago

      In reply to Designing fully redundant secure DMZ question

      I found that the PIX does “watch” the DMZ interfaces and failover correctly when a DMZ switch goes down, providing thorough failover for this environment.

      Thank you for your assistance,
      Paul

      • April 8, 2013 at 2:24 am #2427779

        Reponse To Answer

        by chichoo85 · about 11 years ago

        In reply to Answer below:

        Hello Paul,

        I also want to carry out the same setup as what you have done, i will appreciate if you can put me through in achieving redundancy for the two dmz switches>Two ASA firewalls primary connected to one dmz switch the standy to the other swicth both switch have trunks links.Please assist. the goal is to achieve seamless failover should incase the any of the firewalls go down. thank you

    • April 8, 2013 at 4:34 am #2427777

      AS DMZ failover

      by -gargravarr- · about 11 years ago

      In reply to Designing fully redundant secure DMZ question

      What about a pair of stacked 3750’s (other stackable switches are available) same Interface on each ASA interface into alternative switch.
      Failover clustering must be enabled on the ASA. “sh ver”
      Failover : Active/Active perpetual
      Both ASA’s need to be running the same version of code.
      vlan for outside (untagged no ip address)
      vlan for inside (untagged no ip address)
      vlan for DMZ (untagged no ip address)
      vlan for management
      you can specify which interfaces are “monitored” for failover with
      “no monitor-interface” interface name, in the example “Unused”
      This host: primary – Active
      Interface DMZ : Normal (Monitored)
      Interface Unused: No Link (Not Monitored)
      Interface management : Normal (Monitored)

  • Author
    Replies
Viewing 7 reply threads