Redundant Network Design
Hi
I'm designing a redundant network design for lab purpose, but are struggling with the convergence time..
Heres the setup:
The requirement to the task is that traffic between each vlan has to be filtered in the firewall, and therefore i cannot place routing on my core switches otherwise the vlans would be able to reach eachother without passing through the ASA, so ive placed all the SVI's on the ASA Firewalls and trunket all vlans to them. I have configured failover between the two ASA Firewalls and everything seems to work perfectly apart from one thing..
I have configured the failover on the ASA to trigger if just one interface goes down which equals one vlan across the trunk goes down, the ASA will failover to the standby unit. So if i pull the power from Core Switch1 the ASA fails over to the secondary unit, but spanning-tree convergence time isn't particularily fast.. As anticipated it takes rougly 50 secs for spanning-tree to open the redundant way to the secondary core switch after a failover has occured.. How do i speed that up? Ive tried configuring spanning-tree uplinkfast with no luck, and ive even tried to configure spanning-tree portfast trunk on all uplink/downlink ports which didenøt make a difference either
My Core Switch1 is root primary for all vlans and Core Switch2 is root Secondary for all vlans, and i'm running Rapid-PVST.
Any suggestions on how i can improve the downtime caused by spanning-tree when one of the core switches goes down?
I'm designing a redundant network design for lab purpose, but are struggling with the convergence time..
Heres the setup:
The requirement to the task is that traffic between each vlan has to be filtered in the firewall, and therefore i cannot place routing on my core switches otherwise the vlans would be able to reach eachother without passing through the ASA, so ive placed all the SVI's on the ASA Firewalls and trunket all vlans to them. I have configured failover between the two ASA Firewalls and everything seems to work perfectly apart from one thing..
I have configured the failover on the ASA to trigger if just one interface goes down which equals one vlan across the trunk goes down, the ASA will failover to the standby unit. So if i pull the power from Core Switch1 the ASA fails over to the secondary unit, but spanning-tree convergence time isn't particularily fast.. As anticipated it takes rougly 50 secs for spanning-tree to open the redundant way to the secondary core switch after a failover has occured.. How do i speed that up? Ive tried configuring spanning-tree uplinkfast with no luck, and ive even tried to configure spanning-tree portfast trunk on all uplink/downlink ports which didenøt make a difference either
My Core Switch1 is root primary for all vlans and Core Switch2 is root Secondary for all vlans, and i'm running Rapid-PVST.
Any suggestions on how i can improve the downtime caused by spanning-tree when one of the core switches goes down?
Comments
-
Simrid
Member Posts: 327
Have you considered configuration UplinkFast on your switch ports? It maybe worth investigating.
Have you double checked the hello times on the RSTP links? Are all the switchport running full duplex and there's no speed mismatches?Network Engineer | London, UK | Currently working on: CCIE Routing & Switching
sriddle.co.uk
uk.linkedin.com/in/simonriddle -
Priston
Member Posts: 999 ■■■■□□□□□□
50 seconds makes it sound like the pvst timers and not the rpvst timers. Are you sure all devices are RPVST?A.A.S. in Networking Technologies
A+, Network+, CCNA -
stlsmoore
Member Posts: 515 ■■■□□□□□□□
50 seconds makes it sound like the pvst timers and not the rpvst timers. Are you sure all devices are RPVST?
Yea I agree with this; also if you have some time to deep dive dig into this documentation:
https://www.cisco.com/application/pdf/en/us/guest/netsol/ns431/c649/ccmigration_09186a008093b876.pdf
It gives many recommendations on how to tune out convergence time in campus networks.
There's some potentially weird redudancy design going on with the current setup. Just to confirm you're having your firewalls performing the internal routing for your network and not your core Layer 3 switches?My Cisco Blog Adventure: http://shawnmoorecisco.blogspot.com/
Don't Forget to Add me on LinkedIn!
https://www.linkedin.com/in/shawnrmoore