Re: design question

bluesea2010 · ‎08-26-2023

Hi,

"In the diagram above, there are two core switches with a Layer 3 connection between them. Between the firewall and the core switches, there are two switches. There are Layer 3 connections between the switches and the core, along with an additional Layer 2 connection. OSPF is implemented between the core switches. A default route from the core is directed towards 172.16.3.1. The core switches, SW1, and SW2 are physically situated in different data centers.

Could you please provide feedback on whether the topology described above is acceptable? Additionally, what would be the implications if SW1 and SW2 only support static routing? Could you outline the advantages and disadvantages of this approach? If there exists a superior alternative, your input would be greatly appreciated."

Thanks

Flavio Miranda · ‎08-26-2023

Hi @bluesea2010

Sw1 and sw2 (by the way, this stancil actually represent a WLC and not switch) they are layer2, probably and have no reason for static routing. I believe the function of this 2 switches are to allow communication between firewall in layer2 mode, creating HSRP VIP in order to serve as gateway to the Cores.

If the core´s default route is pointed to 172.16.3.1 I believe this is wrong as 172.16.3.1 seems to be a firewall interface. If you have a cluster of firewall (active/standby) you should not use an interface ip address as gateway but some VIP. Otherwise, if the active firewall fail, the stanby would be useless.

The fact they are in different DC does not matter as long as you have layer2 communication between them.

bluesea2010 · ‎08-26-2023

Hi,

I cannot create HSRP in core switches , because there is no l2 adjacency

Thanks

Flavio Miranda · ‎08-27-2023

The HSRP I pointed out was on the firewall and thats why I believe the layer2 switch is used for.

But you actually can add HSRP on the core for the Access switch.

HSRP is used in upper device for device below it and not the opposite.

Kasun Bandara · ‎08-26-2023

@bluesea2010 what is the firewall brand you are using? some firewalls works with VRRP to maintain redundancy and some are proprietary methods. you need to have good understanding on that to decide routing from core switch towards firewall. and for SW and SW2 i think its no need to use routing because your firewall and Core switch can share same layer 3 domain. so between firewall and core switches you can use same subnet. also i assume that your firewalls also distributed on 2 datacenters physically. in that case you need to make sure ISP side routing also properly configured, to avoid asymmetric routing to avoid performance issues.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

bluesea2010 · ‎08-27-2023

Hi @Kasun Bandara

can you please explain , I am sorry I could not completely follow your instruction

"and for SW and SW2 i think its no need to use routing because your firewall and Core switch can share same layer 3 domain"

Can you please explain

firewall is fg

Kasun Bandara · ‎08-27-2023

@bluesea2010 as i know fortigate not using VRRP at HA setup. so both firewalls will use same IP. in that case i assume you are using HA setup at same DC. plesae explain how your devices physically located

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

bluesea2010 · ‎08-27-2023

Hi ,

It is single dc located in different room's

I mentioned 'physically located' to indicate that only fiber cables can be used between the switches.

Thanks

Kasun Bandara · ‎08-27-2023

@bluesea2010 ok. if you dont have any other zones between Core SW and firewall you can use single L3 network between core sw and firewall. at core switch set default route towards firewall (or as per your network requirement) then at firewall add routes to internal networks via core switch. also you con configure OSPF between core switch and firewall.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB