Let me preface this question by saying that I am a developer and have basic knowledge of networking. My current job requires that I wear many hats.
I am building out a DataCenter for our SaaS Application and have purchased all the hardware on ebay.
2x Juniper SSG-5
2X Dell PowerConnect 5324
3X Esx Hosts
I want to be fully redundant at the hardware level. I am going to do Active/Passive on the Junipers. I understand how to set up NSRP on the firewalls. My question is, how do I connect the switches to the firewalls so that it is redundant and there is no looping?
My assumption is that each firewall will connect to both switches. Is it that simple? From there I will do NIC teaming on the ESX host, one link to each switch.
Do the switches need to be connected together? For this basic config, will I need to do any of the management on the switches?
Thanks for the help!
You are definitely on the right track.
Here are a couple of things I've written about redundancy to augment what I write in this post:
Redundancy Overview: http://sysadvent.blogspot.com/2009/12/day-13-redundancy.html
Appropriate redundancy: http://www.standalone-sysadmin.com/blog/2008/06/appropriate-redundancy/
Alright, those out of the way, building redundancy is about controlling failure modes. You have two switches, you have two routers. Clearly you want to be prepared for the failure of a switch or a router. Maybe a switch AND a router.
What I did in this case was use interface bonding to connect each server to both switches:
There are several ways to do that, depending on your servers' operating systems, but the point is that each switch can talk to each server without the other switch being there.
As Chris S mentioned in the comment, using Spanning Tree Protocol (STP) is a good idea. This is because each of the routers will be hooked to each of the switches, for full redundancy, and you don't want broadcast storms resulting from the loop that would happen.
Here's how I'd wire your network:
Basically, each server goes to each switch and both routers talk to both switches. Notice that there are connections between the routers and also between the switches (in green). For the router, this is the separate interface that you want your NSRP traffic to travel over (don't send it over the link to the switches).
For the switches, the green link is an LACP trunk consisting of however many links you need to get the aggregate performance you want.
This should provide full redundancy in the event of the failure of any part of the system.
If you have a basic knowledge of networking, and there's nobody who can really maintain the devices, simpler is better. Most switches by default will run spanning tree and automatically make sure there are no loops. So, you could just connect juniper A to switch 1 and switch 2, juniper B to switch 1 and switch 2, and then hook each ESX to either switch as well. Or, you don't need to connect the junipers to both switches, and it would be redundant as well. This will 'just work' on the switches, because remember, all they see is MAC addresses - not IP addresses. Managing the switches will allow more functionality and troubleshooting, but that is another thing you will need to keep track of, manage configuration, etc.