Wired

last person joined: an hour ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Proposed Network Setup

  • 1.  Proposed Network Setup

    Posted Dec 28, 2020 11:51 PM
      |   view attached

    Core Switches - 2930F 24G 4 SFP+

    Data Switches - 2540 48G POE+ 4 SFP+

    Firewall - Cisco ASA 5506

    The above diagram is being proposed for redundancy/failover configuration but we are a very small shop with limited knowledge. If anyone can help I would greatly appreciate it.

    Objectives:

    1) Core Switch High Availability

    2) Data Switch High Availability

    Current Lab Setup:

    Core switches are setup in a VSF configuration with 2 DAC cables between the two (Front Module)

    Only 1 ethernet connection to the Cisco ASA 5506 firewall. 

    Each core switch has a DAC connected to the data switches (Primary - Switch 1, Standby - Switch 2)

    Configuration Goals:

    1) Connect the standby to the firewall so if the primary fails we do not lose internet

    2) Is there a way to stack the data switches for 1 Management interface? If not, Do I setup data switch 2 the same way data switch 1 is for the core switch 1? 

    Any suggestions or guidance would greatly be appreciated. 



    ------------------------------
    Anthony Berger
    ------------------------------

    Attachment(s)

    vsdx
    NetworkDiagram.vsdx   40 KB 1 version


  • 2.  RE: Proposed Network Setup

    Posted Dec 29, 2020 05:24 AM

    Hi Anthony,

    The 2540 switches can't be managed as one. I would recommend to remove the two DAC cables between the dataswitches switch1 and switch2 (don't create a spanning-tree loop). For redunancy connect each dataswitch with two DAC cables to both coreswitches VSF-1 and VSF-2 and configure it as link-aggregation (LACP).

    On the coreswitches plan to configure two interfaces (for example 1/24 and 2/24) for the uplink to your firewall. If one of the VSF switches fail you can place the uplink to the firewall on the same position of the second switch. If your firewall support LACP, you can connect your firewall to the VSF-Stack.

    If concepts like VSF stacking and LACP is new to you, i would advise to team with your local Aruba partner for a quick and successfull installation on the first attemp.
    ------------------------------
    Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
    ------------------------------



  • 3.  RE: Proposed Network Setup

    Posted Dec 29, 2020 06:19 AM

    Hi! I second Marcel's suggestions.

    If your idea is to create some sort of redundancy or to enhance resiliency in case of Switches or Connections faults...then the first thing to do is to empower links aggregations usage (with LACP) and this can be done Firewall side and access switch side.

    Considering you're dealing with VSF then, as suggested, from it a Links Aggregation (what is called "trunk" in HP ProVision/ArubaOS-Switch OS jargons) could be configured to start from the VSF Commander and Standby and to terminate into the Cisco ASA 5506 (thus Cisco will be concurrently connected to the VSF logical entity).

    The same can be done from the VSF Commander and Standby to, respectively, Switch 1 and Switch 2 (as suggested do remove Switch 1-2 connectivity as first step to avoid creating a loop).

    Doing things that way you will have resiliency against uplink and downlink connectivity (where the uplink/downlink are seen from the VSF standpoint)...and if a VSF member will fails traffic will continue to flow from Switch 1/2 to Firewall without disruption.

    Consider to implement also a MAD mechanism in order to better manage (and avoid) effects of VSF Split Brain scenarios.

    Clearly hosts connected to Switch 1 (or Switch 2) - two or more Aruba 2540 can not be "stacked" to form a virtual switch - will suffer disruption IF Switch 1 (and/or Switch 2) will fail...the only way to overcome this issue is to dual home your hosts (via LACP Links Aggregations) to both VSF members directly...but this is generally not a possible approach (limitations: number of ports on VSF, client hosts without a NIC with at least two ports, not enough cabling, etc.)...generally it can be applied to Server hosts easily...not to client hosts.



    ------------------------------
    Davide Poletto
    ------------------------------



  • 4.  RE: Proposed Network Setup

    Posted Jan 03, 2021 10:55 PM
    Thank you gentlemen for the guidance. I will look into setting them up per your advice. I know this isn't going to be 100% redundant but if it can be close to it, that works for me.

    I will remove the 2 DACs between the 2540s. Sadly I only have 2 3M DACs with Commander to SW1, Standby to SW2. Either way it is a better option than nothing. Once again, thank you both very much and Happy New Year's!

    ------------------------------
    Anthony Berger
    ------------------------------