3

Let me preface this question by saying that I am a developer and have basic knowledge of networking. My current job requires that I wear many hats.

I am building out a DataCenter for our SaaS Application and have purchased all the hardware on ebay.

2x Juniper SSG-5
2X Dell PowerConnect 5324
3X Esx Hosts

I want to be fully redundant at the hardware level. I am going to do Active/Passive on the Junipers. I understand how to set up NSRP on the firewalls. My question is, how do I connect the switches to the firewalls so that it is redundant and there is no looping?

My assumption is that each firewall will connect to both switches. Is it that simple? From there I will do NIC teaming on the ESX host, one link to each switch.

Do the switches need to be connected together? For this basic config, will I need to do any of the management on the switches?

Thanks for the help!

Chris Kooken
  • 301
  • 4
  • 16
  • Teaming, yes. Switches connected to each other, yes. Loops, use STP to eliminate. Management, good idea. – Chris S Aug 17 '11 at 13:56

2 Answers2

6

You are definitely on the right track.

Here are a couple of things I've written about redundancy to augment what I write in this post:

Redundancy Overview: http://sysadvent.blogspot.com/2009/12/day-13-redundancy.html

Appropriate redundancy: http://www.standalone-sysadmin.com/blog/2008/06/appropriate-redundancy/

Alright, those out of the way, building redundancy is about controlling failure modes. You have two switches, you have two routers. Clearly you want to be prepared for the failure of a switch or a router. Maybe a switch AND a router.

What I did in this case was use interface bonding to connect each server to both switches:

There are several ways to do that, depending on your servers' operating systems, but the point is that each switch can talk to each server without the other switch being there.

As Chris S mentioned in the comment, using Spanning Tree Protocol (STP) is a good idea. This is because each of the routers will be hooked to each of the switches, for full redundancy, and you don't want broadcast storms resulting from the loop that would happen.

Here's how I'd wire your network:

Basically, each server goes to each switch and both routers talk to both switches. Notice that there are connections between the routers and also between the switches (in green). For the router, this is the separate interface that you want your NSRP traffic to travel over (don't send it over the link to the switches).

For the switches, the green link is an LACP trunk consisting of however many links you need to get the aggregate performance you want.

This should provide full redundancy in the event of the failure of any part of the system.

Community
  • 1
Matt Simmons
  • 20,218
  • 10
  • 67
  • 114
  • 1
    Wow, thats quite a response! Thanks! Thats perfect..the only thing i dont understand is "For the switches, the green link is an LACP trunk consisting of however many links you need to get the aggregate performance you want." Can you explain this a bit more? – Chris Kooken Aug 17 '11 at 14:34
  • Well, you want traffic from one switch to be able to get to the other one, if it needs (for instance, if one of the servers loses a NIC, it'll only be connected via one switch, so there are conditions where-in vmHost1 prefers the Red Switch but vmHost2 lost the NIC attached to the red switch, so it can only communicate via the Blue Switch). In that situation, you'll need an inter-switch link. LACP is Link Aggregation that allows you to trunk multiple ethernet lines together to act as one logical line. This gives you greater aggregated bandwidth than any one link can provide. – Matt Simmons Aug 17 '11 at 14:52
  • Here's more information on LACP: http://en.wikipedia.org/wiki/Link_aggregation – Matt Simmons Aug 17 '11 at 14:53
  • Thanks a lot. I Really appreciate you taking the time for a thorough response. – Chris Kooken Aug 17 '11 at 14:57
  • No problem. I had the advantage of already needing to come up with that particular solution (with nearly identical hardware), so it was a relatively conversion. If you need help with the Junipers, drop me a line - standalone.sysadmin@gmail.com – Matt Simmons Aug 17 '11 at 15:00
2

If you have a basic knowledge of networking, and there's nobody who can really maintain the devices, simpler is better. Most switches by default will run spanning tree and automatically make sure there are no loops. So, you could just connect juniper A to switch 1 and switch 2, juniper B to switch 1 and switch 2, and then hook each ESX to either switch as well. Or, you don't need to connect the junipers to both switches, and it would be redundant as well. This will 'just work' on the switches, because remember, all they see is MAC addresses - not IP addresses. Managing the switches will allow more functionality and troubleshooting, but that is another thing you will need to keep track of, manage configuration, etc.

Aaron
  • 2,968
  • 1
  • 22
  • 36