cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
408
Views
0
Helpful
5
Replies
Bekzod Fakhriddinov
Enthusiast

2 firewalls HA connect to 2 Internet circuits for redundancy trough sw

Hi,

I was asked to implement this: 2 firewalls HA connect to 2 Internet circuits for redundancy trough switch either catalyst or small business switch SG- 500/300/250. I dont like this not-standard setup and  I'd connect firewalls directly to the ISP modem/router BUT ISP modems have only 1 port each , so to make redundancy between HA firewalls we have to use switch... 

Firewalls will have ipsec vpn to other 6 sites and ssl vpn for remote users. 

I am not sure if the switch cpu and memory capable to process traffic, switch will have to tag and untag vlanid for that traffic for both circuits and I think this can overload cpu/memory on the switch and cause drops. Am i wrong? 

What experts think about this? 

5 REPLIES 5
balaji.bandi
VIP Guru

You can connect 2 Different VLAN in the switch, and FW you use different ISP config with respected IP config.

 

best is use Port-channel with sub-interface tagging with VLAN

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen
VIP Master

Hello 

 

what firewalls are you using ? If these are ASA firewalls, why not use active/standby failover ?

2 circuits, each CE modem has only 1 port  so only 2 ports uplink A&B,  AND 2 firewalls each with 2 wan ports C/D  & E/F, firewalls in HA mode.

 

We would like to have C&A, D&B   from1st firewall and E&A  , F&B  from 2nd firewall for redundancy. On the switch ports I'd have access vlan 10 for 1st internet circuit access and vlan 20 for2nd internet circuit access , kind of  tunnels to bypass traffic up-down . Only my concern was switch ports capability , if they can handle traffic from firewall to internet and back... 

Hello,

 

which physical devices do you have (e.g. Nexus/Catalyst/ASA) ?

cisco small business switch SG-500 and 2 fortigate firewalls .