1. Home
  2. Cisco Systems
  3. Campus LAN Core and Perimeter Firewalls

Campus LAN Core and Perimeter Firewalls

Hi,

I have some design questions regarding Campus networks and firewalls. If I have a Campus Core consisiting of 2 x L3 switches and I directly connect an HA pair of perimeter firewalls to each core switch (each firewall being connected to both core switches), I am unsure how routing of traffic will work.

The Firewalls use HSRP/VRRP for HA so the connections from the core to the firewalls must be L2 trunks? Does this mean I would have to create a VLAN on the core switches and trunk this VLAN across both core switches? Then both core switches would have a default route of the HSRP address of the firewalls?

Would it be better to connect the firewalls to the core switches using L3 connections and run an IGP on the firewalls? How would this work in practice?

Any recommendations or advice would be appreciated.

Regards, Nick

Reply to
njwhitworth
Loading thread data ...

Create two networks, trunked between your cores. Have each firewall connect to each core, but in each different vlan. Then your connections from firewall to core will not be trunks but simple access ports.

Firewall 1 Connection 1 - Core 1 Vlan 1 Firewall 1 Connection 2 - Core 2 Vlan 2 Firewall 2 Connection 1 - Core 1 Vlan 1 Firewall 2 Connection 2 - core 2 Vlan 2

This way if a core dies, you still have both firewalls connected to the other core in the same VLAN.

From a routing perspective, you should have a routing protocol running between the firewalls and the cores in those specific vlans. That way traffic will re-route if their are issues. Else you put 2 statics on each core for internet/default gateway presuming that is what this is for. But yes, both cores should have a route to the HSRP address in each vlan.

I think this should answer your questions. Only other way is to do both of firewall 1's connections to core 1, in diff vlans, and firewall 2 to core 2. But in that case, if a core experienced issues (or the trunk in between), your firewalls would stop seeing each other, which you probably don't want. What you want is your firewalls to ALWAYS see each other regardless of type of outage, not necessarily that just one is always up.

Reply to
Trendkill

If all equipment work in L3, just use routes, is more fast the convergence, balance the charge and you don=B4t need work with problematics protocols, likes STP, MSTP, RSTP.

Werberti Luiz

Reply to
WERBER

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.