cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

211
Views
20
Helpful
9
Replies
Beginner

ISP/s -> L2 Switch -> Firewall -> LAN

Hi,

I would like to seek help with my proposed network.
It consist of Cisco Switches (L2/L3) and Endian Firewalls. I know, I have the wrong equipment and wrong forum but I want to ask if this topology is valid or ask if someone already experience this type of network.

Here's my topology.
NetworkTopology_New1.jpg

 

 

In order for my Endian Firewall to have fail-over, it needs a managed switch.
In my SW1, I've created a VLANs for the LAN, DMZ and separate VLANs for each ISP. 
These VLANs were isolated on each other. 
 
I've already tried this with the actual testing equipment and it works but with 1 ISP only.
Routing and Switching also works within the internal also works also with fail-overs.

My questions is, with my managed switch (SW1) that connects with the ISPs, does it have any issues if I will add 2 or more ISPs on it? Different ISP, different VLAN. 
Will it have any issues on the Switch? VLANs? Broadcast Domain?  
Does normal VLAN works or Private VLAN? 

Please let me know your know thoughts and questions.

Thank you in advance.





Everyone's tags (1)
9 REPLIES 9
VIP Advisor

Re: ISP/s -> L2 Switch -> Firewall -> LAN

As long as it is segmented with different VLAN - you are ok.

On top of that  you need to take care of routing, how you want to route the outgoing traffic to ISP1 /2/3 so on.

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: ISP/s -> L2 Switch -> Firewall -> LAN

Thanks for the advise.

Anyway, the Endian Firewall will take care all the routing of internal VLANs per ISP.

Highlighted
VIP Advisor

Re: ISP/s -> L2 Switch -> Firewall -> LAN

I am sure you have FW facing internet side which protects. you only need to VLAN Extended.

BB
*** Rate All Helpful Responses ***
VIP Advisor

Re: ISP/s -> L2 Switch -> Firewall -> LAN

Hello

as the main internal switch is performing inter-vlan routing why not just have your sw1 as a host switch thus having no L3 whatsoever and only providing the physical and transparent  connectivity for your isps and Fw ?

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: ISP/s -> L2 Switch -> Firewall -> LAN

Hi Paul,

Actually, I did it but on the Sw1 and Main Internal Sw. I connect it with a trunk line and only allow the management VLAN to pass.
But not on the transparent mode. I configured the Main internal Sw as VTP Server for the internal switches and the Sw1 as a VTP Server on its own.
NetworkTopology_New1.2.jpg


If I were to ask, what would be the best? is it on the Transparent Mode or a Server on its own?

Thanks again in advance.

VIP Advisor

Re: ISP/s -> L2 Switch -> Firewall -> LAN

Helloi 

have your firewalll connect directly into the internal switch and then have the isps and firewall connect via sw1

Then you can totally wipe sw1 and just use it as a transparent host for physical connectivity?



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: ISP/s -> L2 Switch -> Firewall -> LAN

Hi Paul,

There is a problem connecting the firewall into the internal switch.
The Endian Firewall doesn't support etherchannel and its fail-over wouldn't work.
Already tried it but only one cable will work. As per its documentations, it will need a managed switch and own VLAN.
Please check it on my diagram.
It my L3 Sw, I configured the etherchannel with IP address. 

VIP Advisor

Re: ISP/s -> L2 Switch -> Firewall -> LAN

Hello

 


@daniel wrote:There is a problem connecting the firewall into the internal switch.

The Endian Firewall doesn't support etherchannel and its fail-over wouldn't work.


Why does it need ether-channel ,Surely two ports in the same vlan is all that is required for the HA FO links, Now even if you dont want to use the internal switch for HA your dmz can use it instead Either way I cannot see anything negating you defaulting that sw1 and just using it transparently 





kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: ISP/s -> L2 Switch -> Firewall -> LAN

Hi Paul,

I think it is better to use the Sw1 for the HA / FO links.
Directing the 2 LAN at the internal switch may be good but HA/FO will not work that way unless they're on a separate or segmented VLAN.

For now I will not make any changes on the diagram.
I will keep on testing and will find any other issues.

Thanks in Advanced :)

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here