Campus LAN Core and Perimeter Firewalls
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by on June 12, 2008, 9:40 am
Please log in for more thread options I have some design questions regarding Campus networks and firewalls. If I have a Campus Core consisiting of 2 x L3 switches and I directly connect an HA pair of perimeter firewalls to each core switch (each firewall being connected to both core switches), I am unsure how routing of traffic will work. The Firewalls use HSRP/VRRP for HA so the connections from the core to the firewalls must be L2 trunks? Does this mean I would have to create a VLAN on the core switches and trunk this VLAN across both core switches? Then both core switches would have a default route of the HSRP address of the firewalls? Would it be better to connect the firewalls to the core switches using L3 connections and run an IGP on the firewalls? How would this work in practice? Any recommendations or advice would be appreciated. Regards, Nick | |||||||||||||
|
Posted by Trendkill on June 12, 2008, 9:52 am
Please log in for more thread options Create two networks, trunked between your cores. Have each firewall connect to each core, but in each different vlan. Then your connections from firewall to core will not be trunks but simple access ports. Firewall 1 Connection 1 - Core 1 Vlan 1 Firewall 1 Connection 2 - Core 2 Vlan 2 Firewall 2 Connection 1 - Core 1 Vlan 1 Firewall 2 Connection 2 - core 2 Vlan 2 This way if a core dies, you still have both firewalls connected to the other core in the same VLAN. From a routing perspective, you should have a routing protocol running between the firewalls and the cores in those specific vlans. That way traffic will re-route if their are issues. Else you put 2 statics on each core for internet/default gateway presuming that is what this is for. But yes, both cores should have a route to the HSRP address in each vlan. I think this should answer your questions. Only other way is to do both of firewall 1's connections to core 1, in diff vlans, and firewall 2 to core 2. But in that case, if a core experienced issues (or the trunk in between), your firewalls would stop seeing each other, which you probably don't want. What you want is your firewalls to ALWAYS see each other regardless of type of outage, not necessarily that just one is always up. | |||||||||||||
|
Posted by WERBER on June 12, 2008, 4:26 pm
Please log in for more thread options > On Jun 12, 9:40 am, njwhitwo...@gmail.com wrote:
> > > > > > > Hi,
>
> > I have some design questions regarding Campus networks and firewalls.
> > If I have a Campus Core consisiting of 2 x L3 switches and I directly > > connect an HA pair of perimeter firewalls to each core switch (each > > firewall being connected to both core switches), I am unsure how > > routing of traffic will work. >
> > The Firewalls use HSRP/VRRP for HA so the connections from the core to
> > the firewalls must be L2 trunks? Does this mean I would have to create > > a VLAN on the core switches and trunk this VLAN across both core > > switches? Then both core switches would have a default route of the > > HSRP address of the firewalls? >
> > Would it be better to connect the firewalls to the core switches using
> > L3 connections and run an IGP on the firewalls? How would this work in > > practice? >
> > Any recommendations or advice would be appreciated.
>
> > Regards,
> > Nick >
> Create two networks, trunked between your cores. =A0Have each firewall > connect to each core, but in each different vlan. =A0Then your > connections from firewall to core will not be trunks but simple access > ports. > > Firewall 1 Connection 1 - Core 1 Vlan 1 > Firewall 1 Connection 2 - Core 2 Vlan 2 > Firewall 2 Connection 1 - Core 1 Vlan 1 > Firewall 2 Connection 2 - core 2 Vlan 2 > > This way if a core dies, you still have both firewalls connected to > the other core in the same VLAN. > > From a routing perspective, you should have a routing protocol running > between the firewalls and the cores in those specific vlans. =A0That way > traffic will re-route if their are issues. =A0Else you put 2 statics on > each core for internet/default gateway presuming that is what this is > for. =A0But yes, both cores should have a route to the HSRP address in > each vlan. > > I think this should answer your questions. =A0Only other way is to do > both of firewall 1's connections to core 1, in diff vlans, and > firewall 2 to core 2. =A0But in that case, if a core experienced issues > (or the trunk in between), your firewalls would stop seeing each > other, which you probably don't want. =A0What you want is your firewalls > to ALWAYS see each other regardless of type of outage, not necessarily > that just one is always up.- Ocultar texto entre aspas - > > - Mostrar texto entre aspas - If all equipment work in L3, just use routes, is more fast the convergence, balance the charge and you don=B4t need work with problematics protocols, likes STP, MSTP, RSTP. Werberti Luiz | |||||||||||||
>
> I have some design questions regarding Campus networks and firewalls.
> If I have a Campus Core consisiting of 2 x L3 switches and I directly
> connect an HA pair of perimeter firewalls to each core switch (each
> firewall being connected to both core switches), I am unsure how
> routing of traffic will work.
>
> The Firewalls use HSRP/VRRP for HA so the connections from the core to
> the firewalls must be L2 trunks? Does this mean I would have to create
> a VLAN on the core switches and trunk this VLAN across both core
> switches? Then both core switches would have a default route of the
> HSRP address of the firewalls?
>
> Would it be better to connect the firewalls to the core switches using
> L3 connections and run an IGP on the firewalls? How would this work in
> practice?
>
> Any recommendations or advice would be appreciated.
>
> Regards,
> Nick