2 firewalls HA connect to 2 Internet circuits for redundancy trough sw

Bekzod Fakhriddinov · ‎09-27-2021

Hi,

I was asked to implement this: 2 firewalls HA connect to 2 Internet circuits for redundancy trough switch either catalyst or small business switch SG- 500/300/250. I dont like this not-standard setup and I'd connect firewalls directly to the ISP modem/router BUT ISP modems have only 1 port each , so to make redundancy between HA firewalls we have to use switch...

Firewalls will have ipsec vpn to other 6 sites and ssl vpn for remote users.

I am not sure if the switch cpu and memory capable to process traffic, switch will have to tag and untag vlanid for that traffic for both circuits and I think this can overload cpu/memory on the switch and cause drops. Am i wrong?

What experts think about this?

balaji.bandi · ‎09-27-2021

You can connect 2 Different VLAN in the switch, and FW you use different ISP config with respected IP config.

best is use Port-channel with sub-interface tagging with VLAN

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎09-27-2021

Hello

what firewalls are you using ? If these are ASA firewalls, why not use active/standby failover ?

Bekzod Fakhriddinov · ‎09-28-2021

2 circuits, each CE modem has only 1 port so only 2 ports uplink A&B, AND 2 firewalls each with 2 wan ports C/D & E/F, firewalls in HA mode.

We would like to have C&A, D&B from1st firewall and E&A , F&B from 2nd firewall for redundancy. On the switch ports I'd have access vlan 10 for 1st internet circuit access and vlan 20 for2nd internet circuit access , kind of tunnels to bypass traffic up-down . Only my concern was switch ports capability , if they can handle traffic from firewall to internet and back...

Georg Pauwen · ‎09-28-2021

Hello,

which physical devices do you have (e.g. Nexus/Catalyst/ASA) ?

Bekzod Fakhriddinov · ‎09-28-2021

cisco small business switch SG-500 and 2 fortigate firewalls .