Hi All,
recently my employer asked me to configure DMZ on Firewall to be used for any server that will have direct internet access, so i have implemented the DMZ and we started shifting any server that we think it might get attacked to the DMZ for example DNS, NTP and others.
ok, after the DMZ setup finished, we started to think about the redundancy of DMZ switches which is by the way is not Cisco, we use HP in most of our network.
anyhow i have started to check what available options do we have to work to provide HA.
1.stacking
2.HP IRF
3.redundancy protocols [ VRRP ]
so stacking didn't work even with the feature existence on the switch but after thorough check i found out that many people on HP community were suffering from the same issue, they can't get it to work.
anyway, moving to IRF which is good protocol but it requires 10G speed port to work and the maximum speed i had was 1Gbps
so i was left with only VRRP to try get it to work, and i configured it and it was great and added the tracking for the interface facing the Firewall, because if the Firewall interface is down, the Firewall will switch to the standby, but the other parts of DMZ will see the switch as its gateway, so the tracking will make the switch change to standby if the interface facing firewall is down
check the figure below sorry if you find it not detailed nor organized but that's what i have right now:
recently my employer asked me to configure DMZ on Firewall to be used for any server that will have direct internet access, so i have implemented the DMZ and we started shifting any server that we think it might get attacked to the DMZ for example DNS, NTP and others.
ok, after the DMZ setup finished, we started to think about the redundancy of DMZ switches which is by the way is not Cisco, we use HP in most of our network.
anyhow i have started to check what available options do we have to work to provide HA.
1.stacking
2.HP IRF
3.redundancy protocols [ VRRP ]
so stacking didn't work even with the feature existence on the switch but after thorough check i found out that many people on HP community were suffering from the same issue, they can't get it to work.
anyway, moving to IRF which is good protocol but it requires 10G speed port to work and the maximum speed i had was 1Gbps
so i was left with only VRRP to try get it to work, and i configured it and it was great and added the tracking for the interface facing the Firewall, because if the Firewall interface is down, the Firewall will switch to the standby, but the other parts of DMZ will see the switch as its gateway, so the tracking will make the switch change to standby if the interface facing firewall is down
check the figure below sorry if you find it not detailed nor organized but that's what i have right now:
the configurations used mentioned below:
[DMZ-SECONDARY]
interface Vlan-interface500
ip address 172.16.16.249 255.255.255.0
vrrp vrid 1 virtual-ip 172.16.16.254
vrrp vrid 1 priority 120
undo vrrp vrid 1 preempt-mode
vrrp vrid 1 track 1 reduced 50
[MAIN-DMZ]
interface Vlan-interface500
ip address 172.16.16.250 255.255.255.0
vrrp vrid 1 virtual-ip 172.16.16.254
vrrp vrid 1 priority 150
undo vrrp vrid 1 preempt-mode
vrrp vrid 1 track 1 reduced 50
and the tracking is done as below :
[MAIN-DMZ]dis track all
Track ID: 1
Status: Positive
Duration: 34 days 16 hours 4 minutes 32 seconds
Notification delay: Positive 0, Negative 0 (in seconds)
Reference object:
Track interface :
Interface status : Inserted
Interface : GigabitEthernet1/0/1
Protocol : None
