What is the best design to connect redundant Firewalls to redund

Subash Sharma · ‎01-15-2013

Hi All,

I would like to know the best possible design to connect redundant Firewalls(Netscreen,FortiGate etc) to redundant switches.I have dealt with Cisco FWSM's in which both the Firewall and switch is in the same chassis. So for the Vlan's behind the Firewall, we just create the L3 interface on the fwsm and do a static route in the switch. The Gateway IP will be tied to the primary fwsm and the failover happens through the network. But now i need to know the best possible design when i am connecting to a different vendor firewall.

Let's say i have 5 vlans and all these vlan's are behind the Firewall. The redundant switches will have the L2 vlan's created and have a static route to the Firewall. I am proposing the attached design in which i will have L2 vlan's created on the switch and L3 on the Firewall. The Firewall's and the switch will be connected with one trunk port and an access port for uplink and downlink traffic. The two switches will be connected each other using a vlan trunk.The two firewalls will be connected using a redundancy vlan.

I am not so sure about the working of other firewalls such as Netscreen and FortiGate. I am also confused with the traffic path that the frames will take by having this design.Please advice if you have any suggestions.

Appreciate your help and advice.

regards

dathan

shillings · ‎01-16-2013

I think this question would be best posed to each firewall vendors' own forum.

Why do you need to segregate upstream and downstream traffic into the firewalls LAN interface?

Subash Sharma · ‎01-16-2013

Thanks for the reply.

This issue is, the Firewall's are managed by a different vendor and i am responsible for the switches. The vendor is quite un-friendly and doesnt share anything regarding its working. The segregation is just to keep the traffic seperate. Also for load balancing purposes. My doubt is how the traffic flow will be, from the servers connected to switch 2 to Active Firewall? Will the L2 Trunk is single point of failure? Will the traffic traverse through standby Firewall to active using the HA link if the trunk between the switches fails?

Thanks again for your valued comments.

regards

dathan

ALIAOF_ · ‎01-16-2013

It's been a while since I have worked with the Netscreens but basically I'm assuming both Netscreens will share a single IP, one firewall will be standby one will be active. So the IP will go to the active firewall. On the redundant switches you will setup static route.

But not sure why you are doing it like this and why the trunk port and then an access port all that sounds complicated I concur with shillings.

You can also just setup a firewall and connect it to the switch (access port) and firewall will be the default gateway for the two switches and just do the inter vlan routing on the switches. How do you have the switches setup HSRP, GLBP ?

Subash Sharma · ‎01-16-2013

Hi,

Thanks for the reply.

i can't do inter-vlan routing on the switches because the customer needs all the vlan's to reside on the Firewall. Customer need firewall rules to be implemented so that traffic between differnet vlan's are filtered. They are not comfortable with the switch ACL's for traffic filtering since it is not so informative as Firewall logs. HSRP & GLBP is useful when i am having my L3 interface on the switches but now my L3 interfaces are on the Firewall's.

regarding the trunk & access port, it is just done to seperate traffic and for load balancing.

Thanks again for your reply.

regards

dathan

ALIAOF_ · ‎01-17-2013

Thank you for elaborating. Why the trunk port and then another access port? I'm assuming you are going to create sub interfaces for the trunk and then setup all 5 VLAN's on that?

Subash Sharma · ‎01-17-2013

Hi,

Thank you for the reply and appreciate your interest on this discussion.

The Access port is used as the uplink to the switch (traffic from firewall to switch). Firewall will have a default route to the interface IP of the switch so that return traffic from the firewall will take this access port. The trunk port is for the downlink to Firewall (traffic to Firewall from switch). Since the Vlan default gateway is on the firewall, the traffic from the PC's will go through this trunk for inter-valn routing. Inter-vlan routing is performed by the firewall.

I think, the confusion on this was due to that there is no external connection on this design. This firewall is just an internal firewall (for internal traffic within the organization) and we do have another set of firewall connecting to outside or WAN. External firewall is connected to the switch.

i am confused on the traffic path from the Switch 2 to Active firewall. Whether it will take the trunk between switch1----switch2 or it will go to Passive firewall and use the HA link to reach active?

regards

dathan

shillings · ‎01-19-2013

Can you expand upon the need for protection between VLANs? I can think of a few reasons, but this current design wouldn't be the best for some of those scenarios.

Subash Sharma · ‎01-20-2013

Hi Shillings,

Thanks for the reply.

This is a datacentre environment and these Vlan's belongs to different organizations/vendors. Each vlan belongs to a particular service/application and communication between these vlan's are highly restricted in order to prevent any kind of data copy/attack.We do have an external firewall in which these vlans are communicated to the internet. Basically, traffic to external is minimal and internal traffic is the most. I cant create the L3 interfaces on the switch because of strict policy checking and auditing required.

Please advice if there is any flaw in this proposed design. i have seen the same design in many places.

Thanks & regards

shillings · ‎01-21-2013

OK, I understand this now.

Your HA link between firewalls might soley be used as a heatbeat (for failure detection) and to update the passive firewall with HTTP stateful information. This is how the Cisco ASA HA pair works, but I'm not familiar with the Netscreen.

A quick question about the client PCs in the bottom cloud - are these to be single homed or dual-homed to both switches?

Subash Sharma · ‎01-21-2013

Hi,

Thanks for the reply.

the client PC's will be dual homed using linux bonding. i.e. each server will have connections to both the switches.

regards

shillings · ‎01-21-2013

I've not connected Linux Ethernet bonded interfaces in this way. I presume the two switches are Cisco and the Linux bonding mode will be 802.3ad. Is that right?

If so, then I would have thought you need to either stack the two switches or run VSS/vPC technology. What make and model are they?

Subash Sharma · ‎01-22-2013

Thanks for the reply.

It's not 802.3ad link aggreagated interface. In the switch side, the ports will be configured as normal access ports and the bonding config will be done on the server side. The switches are 3750 and i am not sure whether it supports vPC.

If any single homed server is connected to Switch 2, what will be traffic path for its data packets?

Switch 2 ------------------> Switch 1 ----------------------> Active firewall

OR

Switch 2 ------------------> Passive Firewall -----------> Active Firewall

Also will there be any change in traffic path if the trunk between Switch 1 & Switch 2 is converted to L3 routed interface? Since there is no VRRP, i can convert the trunk to L3 right?

Thanks and regards

Subash Sharma · ‎01-24-2013

Hi Shillings,

any reply...??

thanks & regards

shillings · ‎01-25-2013

subhash007 wrote:

It's not 802.3ad link aggreagated interface. In the switch side, the ports will be configured as normal access ports and the bonding config will be done on the server side.

To be honest, I don't understand how the Linux bonding mode can work without anything configured the other end.

My understanding of 'bonding' comes from Multilink PPP (MLP) where the data stream is chopped up and split across two (or more) circuits. At the other end, a similar MLP-enabled device reforms the data stream from the multiple circuits, maintaining packet order. But this requires MLP-enabled 'bonding' devices at each end.

Perhaps you could help me better understand the Linux bonding...

subhash007 wrote:

If any single homed server is connected to Switch 2, what will be traffic path for its data packets?

Switch 2 ------------------> Switch 1 ----------------------> Active firewall

OR

Switch 2 ------------------> Passive Firewall -----------> Active Firewall

If the firewalls operate in the same fashion as Cisco ASAs, then the inter-firewall link doesn't carry traffic. It's for failover detection and HTTP replication only. But like I said, I'm not familiar with this vendor's products.

subhash007 wrote:

Also will there be any change in traffic path if the trunk between Switch 1 & Switch 2 is converted to L3 routed interface? Since there is no VRRP, i can convert the trunk to L3 right?

Same as above.

What is the best design to connect redundant Firewalls to redundant switches?