Clavister HA to Nexus 5000k HA

Security Gateway Discussions
Post Reply
nazimshah
Posts: 12
Joined: 16 Jul 2010, 06:17

Clavister HA to Nexus 5000k HA

Post by nazimshah » 11 Oct 2012, 00:27

Need some help here.

We have 2 unit of W5 (High Availability) currently connected to 1 unit of Catalyst 6509-E. This has been working very well.

Moving forward, the 2 unit of W5 (High Availability) need to be connected to 2 unit of Nexus 5548 (High Availability). Any advise how can I do this? The Nexus HA is active-actve.

parnil
Posts: 5
Joined: 24 Oct 2012, 11:14
Location: Vänersborg, Sweden

Re: Clavister HA to Nexus 5000k HA

Post by parnil » 24 Oct 2012, 11:36

Did you get any advise on this?

We are in a very similar situation, but are having trouble with routing, or actually ip-redirect. The FW and the Nexus is on the same network, and other devices on this net can't get outside unless we route the traffic via another switch (in this case a 3750).

nazimshah
Posts: 12
Joined: 16 Jul 2010, 06:17

Re: Clavister HA to Nexus 5000k HA

Post by nazimshah » 08 Nov 2012, 11:23

Anyone can respond to me on this?

I'm about to get my Nexus into production.

parnil
Posts: 5
Joined: 24 Oct 2012, 11:14
Location: Vänersborg, Sweden

Re: Clavister HA to Nexus 5000k HA

Post by parnil » 08 Nov 2012, 11:34

I have no advise at the moment, but we will have a consultant on-site on november 21 to help us with this. Maybe I can report back then.

Regards,
Pär

nazimshah
Posts: 12
Joined: 16 Jul 2010, 06:17

Re: Clavister HA to Nexus 5000k HA

Post by nazimshah » 26 Nov 2012, 06:36

parnil,

how is it? does it work?

parnil
Posts: 5
Joined: 24 Oct 2012, 11:14
Location: Vänersborg, Sweden

Re: Clavister HA to Nexus 5000k HA

Post by parnil » 26 Nov 2012, 07:52

nazimshah,

Yes, it's working fine now. I am in no way an expert on firewalls, but our consultant did some changes to the ARP settings:

(This is from InControl version 1.30, so if you have another version you might find these settings in a slightly different place)
Network > Interfaces and VPN > Link Layer > ARP/Neighbor Discovery
  • ARP Match Ethernet Sender changed from DropLog to Ignore
    ARP Sender IP changed from Validate to AcceptAny
    ARP Multicast changed from DropLog to Accept
I'm not sure how much help this is to you, but if you have any questions, please feel free to ask and I will help as best I can.

Regards,
Pär

nazimshah
Posts: 12
Joined: 16 Jul 2010, 06:17

Re: Clavister HA to Nexus 5000k HA

Post by nazimshah » 08 Feb 2013, 02:27

Thanks Parnil. Long time never check the forum.

My situation is about to become more complicated. Just receive shipment of my 2x Nexus 5k. Within this month, will also receive 2x Cat4 to replace our current Cat6.

As far as I know, both Nexus 5k will be physically active-active and virtually act as 1 switch. For the Cat4, it will also be on active-active with VSS (virtually as 1 switch). Now only my W5 will be on active-passive cluster.

Anyone can advise for a full redundancy configuration without dependency on a middleman switch? Sample connectivity and configuration is very much appreciated.

Post Reply