2 TIER W/ FIREWALL

leonardoicasiano · ‎07-31-2023

Hi,

We have a Tier 2 network design and i am having trouble to figure the connection between the CORE SW and Firewall

Core_sw is using GLBP

FWPRiMARY-Active

FW_HA-Backup

Is it possible to implement this design and what do i need to consider and configuration to do?

Flavio Miranda · ‎07-31-2023

Hi @leonardoicasiano

People use GLBP due the load balance capability. If your firewall is active/standby you can not loadbalance. On this case, you can use HSRP or VRRP in case you have problem with GLBP.

You need to consider if you are going to use layer3 point to point between Core and firewall or layer2.

If layer3 with static routing or dynamic.

If dynamic, which protocol.

leonardoicasiano · ‎07-31-2023

Hi,

I will be using HSRP now and static routing. how about my connection from Layer 3 to firewall, i know that the firewall and HA use the same configuration, so IP addressing in my primary core and backup will be the same going to firewalls will this create a conflict, or any suggestion you might share?.

thanks!

Flavio Miranda · ‎07-31-2023

The firewall will probably offer.you a VIP right? Just like you do with HSRP.

The Primary core will have a default route to this VIP, right?

As you are going to use static/default route from the core to firewall, what you can do is add two static route on the core2

Core 1:

ip route 0.0.0.0.0 0.0.0.0 <fw vip>

On the core 2.

ip route 0.0.0.0.0 0.0.0.0 <core 1>

ip route 0.0.0.0 0.0.0.0 <fw vip> <administrative distance>

This way if the Core 1 crash the core 2 will remove the route to core 1 and use the second route sending to the firewall.

if core 2 drops,.nothing happen as the core 1 is the primary.

Just make core 1 active HSRP for all vlans.

leonardoicasiano · ‎07-31-2023

Then how about my addressing from COre to firewall. i will be using same address, will this be an issue or its ok?

Flavio Miranda · ‎08-01-2023

Why same address? What do you mean?

Which firewall is it by the way?

leonardoicasiano · ‎08-01-2023

I am really lost. this will be my topology.

FIREWALL is sync so they have the same configuration because of that i am confuse should i use the same address from L3 primary then use it on L3_Backup?

Flavio Miranda · ‎08-01-2023

Which firewall vendor and model is it?

leonardoicasiano · ‎08-01-2023

Sonicwall,

Flavio Miranda · ‎08-01-2023

Do you have the model?

Depeneding on the firewall you may need to change the topology. Maybe you need to use layer2 between cores and firewalls. And use interface vlan on the core side.

But I like to know which firewall model is and how the vendor suggest to build this kind of topology and if that is even possible for this vendor.

I have some experience with CheckPoint but not with Sonicwall. But they must have something docummented.

leonardoicasiano · ‎08-01-2023

Tz670, you think the only option for me is to put layer 2 in between?

Flavio Miranda · ‎08-01-2023

Give me a second, let me take a look on this firewall first.

But, keep in mind that if the firewall is in HA, your logical topology looks like this one. The HA is like one device.

Your physical topology looks like this

Flavio Miranda · ‎08-01-2023

Looking at the Sonicwall documentation, this is how the suggest to connect the firewall in HA environment.

They mention this interface X0 as the entry/exit point to Lan network, which would be the interface you would use to connect to the Cores. That being said, you are not going to cross connect the firewall but you are going to have one uplink from each firewall to Cores.