Wired Intelligent Edge

Core Switches - 2930F 24G 4 SFP+

Data Switches - 2540 48G POE+ 4 SFP+

Firewall - Cisco ASA 5506

The above diagram is being proposed for redundancy/failover configuration but we are a very small shop with limited knowledge. If anyone can help I would greatly appreciate it.

Objectives:

1) Core Switch High Availability

2) Data Switch High Availability

Current Lab Setup:

Core switches are setup in a VSF configuration with 2 DAC cables between the two (Front Module)

Only 1 ethernet connection to the Cisco ASA 5506 firewall. 

Each core switch has a DAC connected to the data switches (Primary - Switch 1, Standby - Switch 2)

Configuration Goals:

1) Connect the standby to the firewall so if the primary fails we do not lose internet

2) Is there a way to stack the data switches for 1 Management interface? If not, Do I setup data switch 2 the same way data switch 1 is for the core switch 1? 

Any suggestions or guidance would greatly be appreciated. 

------------------------------
Anthony Berger
------------------------------

Hi Anthony,

The 2540 switches can't be managed as one. I would recommend to remove the two DAC cables between the dataswitches switch1 and switch2 (don't create a spanning-tree loop). For redunancy connect each dataswitch with two DAC cables to both coreswitches VSF-1 and VSF-2 and configure it as link-aggregation (LACP).

On the coreswitches plan to configure two interfaces (for example 1/24 and 2/24) for the uplink to your firewall. If one of the VSF switches fail you can place the uplink to the firewall on the same position of the second switch. If your firewall support LACP, you can connect your firewall to the VSF-Stack.

If concepts like VSF stacking and LACP is new to you, i would advise to team with your local Aruba partner for a quick and successfull installation on the first attemp.
------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
------------------------------

Original Message:
Sent: Dec 28, 2020 11:51 PM
From: Anthony Berger
Subject: Proposed Network Setup

Core Switches - 2930F 24G 4 SFP+

Data Switches - 2540 48G POE+ 4 SFP+

Firewall - Cisco ASA 5506

The above diagram is being proposed for redundancy/failover configuration but we are a very small shop with limited knowledge. If anyone can help I would greatly appreciate it.

Objectives:

1) Core Switch High Availability

2) Data Switch High Availability

Current Lab Setup:

Core switches are setup in a VSF configuration with 2 DAC cables between the two (Front Module)

Only 1 ethernet connection to the Cisco ASA 5506 firewall. 

Each core switch has a DAC connected to the data switches (Primary - Switch 1, Standby - Switch 2)

Configuration Goals:

1) Connect the standby to the firewall so if the primary fails we do not lose internet

2) Is there a way to stack the data switches for 1 Management interface? If not, Do I setup data switch 2 the same way data switch 1 is for the core switch 1? 

Any suggestions or guidance would greatly be appreciated. 

------------------------------
Anthony Berger
------------------------------

Hi! I second Marcel's suggestions.

If your idea is to create some sort of redundancy or to enhance resiliency in case of Switches or Connections faults...then the first thing to do is to empower links aggregations usage (with LACP) and this can be done Firewall side and access switch side.

Considering you're dealing with VSF then, as suggested, from it a Links Aggregation (what is called "trunk" in HP ProVision/ArubaOS-Switch OS jargons) could be configured to start from the VSF Commander and Standby and to terminate into the Cisco ASA 5506 (thus Cisco will be concurrently connected to the VSF logical entity).

The same can be done from the VSF Commander and Standby to, respectively, Switch 1 and Switch 2 (as suggested do remove Switch 1-2 connectivity as first step to avoid creating a loop).

Doing things that way you will have resiliency against uplink and downlink connectivity (where the uplink/downlink are seen from the VSF standpoint)...and if a VSF member will fails traffic will continue to flow from Switch 1/2 to Firewall without disruption.

Consider to implement also a MAD mechanism in order to better manage (and avoid) effects of VSF Split Brain scenarios.

Clearly hosts connected to Switch 1 (or Switch 2) - two or more Aruba 2540 can not be "stacked" to form a virtual switch - will suffer disruption IF Switch 1 (and/or Switch 2) will fail...the only way to overcome this issue is to dual home your hosts (via LACP Links Aggregations) to both VSF members directly...but this is generally not a possible approach (limitations: number of ports on VSF, client hosts without a NIC with at least two ports, not enough cabling, etc.)...generally it can be applied to Server hosts easily...not to client hosts.

------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: Dec 28, 2020 11:51 PM
From: Anthony Berger
Subject: Proposed Network Setup

Core Switches - 2930F 24G 4 SFP+

Data Switches - 2540 48G POE+ 4 SFP+

Firewall - Cisco ASA 5506

The above diagram is being proposed for redundancy/failover configuration but we are a very small shop with limited knowledge. If anyone can help I would greatly appreciate it.

Objectives:

1) Core Switch High Availability

2) Data Switch High Availability

Current Lab Setup:

Core switches are setup in a VSF configuration with 2 DAC cables between the two (Front Module)

Only 1 ethernet connection to the Cisco ASA 5506 firewall. 

Each core switch has a DAC connected to the data switches (Primary - Switch 1, Standby - Switch 2)

Configuration Goals:

1) Connect the standby to the firewall so if the primary fails we do not lose internet

2) Is there a way to stack the data switches for 1 Management interface? If not, Do I setup data switch 2 the same way data switch 1 is for the core switch 1? 

Any suggestions or guidance would greatly be appreciated. 

------------------------------
Anthony Berger
------------------------------

Thank you gentlemen for the guidance. I will look into setting them up per your advice. I know this isn't going to be 100% redundant but if it can be close to it, that works for me.

I will remove the 2 DACs between the 2540s. Sadly I only have 2 3M DACs with Commander to SW1, Standby to SW2. Either way it is a better option than nothing. Once again, thank you both very much and Happy New Year's!

------------------------------
Anthony Berger
------------------------------

Original Message:
Sent: Dec 28, 2020 11:51 PM
From: Anthony Berger
Subject: Proposed Network Setup

Core Switches - 2930F 24G 4 SFP+

Data Switches - 2540 48G POE+ 4 SFP+

Firewall - Cisco ASA 5506

The above diagram is being proposed for redundancy/failover configuration but we are a very small shop with limited knowledge. If anyone can help I would greatly appreciate it.

Objectives:

1) Core Switch High Availability

2) Data Switch High Availability

Current Lab Setup:

Core switches are setup in a VSF configuration with 2 DAC cables between the two (Front Module)

Only 1 ethernet connection to the Cisco ASA 5506 firewall. 

Each core switch has a DAC connected to the data switches (Primary - Switch 1, Standby - Switch 2)

Configuration Goals:

1) Connect the standby to the firewall so if the primary fails we do not lose internet

2) Is there a way to stack the data switches for 1 Management interface? If not, Do I setup data switch 2 the same way data switch 1 is for the core switch 1? 

Any suggestions or guidance would greatly be appreciated. 

------------------------------
Anthony Berger
------------------------------