Tuesday, June 8, 2021

Fiber redundancy network design

Hi guys,

i'm a little stuck with a fiber redundancy network design, it's kinda hard to explain, but i'll try.

Imagine:
-2 sites, with 2 firewalls on each side (VRRP clusters)
-Multiple direct fiber connections between both sites
-Currently, only 1x fiber is connected via a single fiber2copper converter
-On site A, the currently active fiber is directly connected to the local core switch (fiber converter A)
-On site B, the currently active fiber is connected to the firewall VRRP master (fiber converter B)

What i'd like to do:
1) Connect all fibers (current and new), from firewall cluster A to firewall cluster B
2) Create fully crossed redundant paths with all existing fibers between both sites

Now, you could create a new VRRP pair on both firewall clusters and simply connect site-A and site-B with all available fiber connections, but VRRP would probably not work, since master and backup can't see each other over the fiber links.

firewall-master-A
firewall-backup-A
| | | |
| | | |
----------------------------
| | | |
| | | |
firewall-master-B
firewall-backup-B

A workaround would be to drop the VRRP idea and work with watchdogs and routes, but that doesn't feel right.

Another idea i came up with, is the following:
-Each site gets a fiber switch stack, with SFP LACP LAGs (master and backup) for all fiber connections,hence creating a redundant layer 2 broadcast domain between both sites.
-Site-A firewall cluster will be cross-connected to the fiber switch stack A
-Site-B firewall cluster will be cross-connected to the fiber switch stack B
-Create VLAN(s) and STP on both fiber switch stacks
-Finally setup new VRRP, subnet, routings, inbound/outbound filtering on both firewall stacks

firewall-master-A
firewall-backup-A
| | | |
fibre-switch-master-A
fiber-switch-backup-A
| | | |
| | | |
---------------------------------
| | | |
| | | |
fibre-switch-master-B
fiber-switch-backup-B
| | | |
firewall-master-B
firewall-backup-B

I don't know how you would call something like that, i would call it a "transit network" (?), yeah, i just made that up. Not sure if the fiber switch idea is cool, stupid, or reasonable but overly complicated.

I'm not looking for a solution in particular, but rather a best-practice or a hint on how multiple redundant fiber connections between remote sites is usually done by the network pros?

Any inside is much appreciated.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)