Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1577
Views
1
Helpful
12
Replies

Connectivity when switch stacking

ruch
Level 1
Level 1

‎03-28-2023 05:37 AM

Hi, 

We are planning to implement a core switch stack and firewall stack. Switches would be C9300 and firewall would be Sophos. Firewall is in Active Passive mode and switches will be stacked. 

I just want to what kind of uplink connectivity we need to use. do we need to use

> mesh connectivity between firewall and switch (from primary core switch, one cable to the primary firewall and one cable to the secondary firewall and from secondary core switch, one cable to the primary firewall and the one cable to the secondary firewall)

or single uplink from primary core switch to primary firewall and single uplink from secondary core switch and secondary firewall. 

Thanks you

Labels:
0 Helpful
12 Replies 12

balaji.bandi
Hall of Fame
Hall of Fame

‎03-28-2023 06:02 AM

You need to make small diagram for your understand what you deploying.

yes that is good approach

if you making stack of 2 Switches of Cat 9300 - that is good appraoch firewall 1 connect to Switch 1 and firewall 2 to switch 2

check HA requirement from Sophos is the key here :

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide/AboutHA/index.html#videos-how-to-configure-ha

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Flavio Miranda
VIP
VIP

‎03-28-2023 06:19 AM

Hi

 Both options applies however the first option will offer you much more resilience. If you look in the network design for Tier2 DC, you are going to see the interconnection is always a full mesh connection.

But, it depends also on how you are going to build the logical part. Are you going to use some dynamic routing protocol between then or just a default route from Core to Firewall?

You need to exercise on the design, thinking about if the Firewall active goes down and the second firewall take over, how my traffic will frow from my access switches to outside ?

0 Helpful

ruch
Level 1
Level 1
In response to Flavio Miranda

‎03-28-2023 07:07 AM

Hi, 

Basically Core switch will act as a L2 switch. Firewall will act as the gateway for the Vlans. so basically trunk uplink will be configured between firewall and the core switch. 

 

 

0 Helpful

ruch
Level 1
Level 1

‎03-28-2023 06:27 AM

Draft.PNG

Hi,

Thank you for the response. 

Just want to know whether to go with option 1 or option 2

Thanks

MHM Cisco World
VIP
VIP
In response to ruch

‎03-28-2023 06:46 AM

always cross is prefer with PO it prefect 
there are two failure here 
the PO (link) failure 
and the SW failure 

if one or port member is down the PO still UP and you are safe 
if one of Stack SW is failed the PO will still UP and you are also safe 
so op2 with PO 

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎03-28-2023 07:08 AM

MHM,

In a case like this where the firewalls are stacked or clustered and the switches are stacked, there is no need for redundant links or PO. This is just as you are connecting 2 devices together using 2 ports with one IP/vlan on each device. Also, remember not all the other vendors out there work nicely with Cisco's PO.

HTH

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎03-28-2023 07:21 AM

Draft.PNG

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame

‎03-28-2023 06:36 AM - edited ‎03-28-2023 06:39 AM

Hi,

Since the firewalls will be in active/passive more, all you need is;

or single uplink from primary core switch to primary firewall and single uplink from secondary core switch and secondary firewall. 

Don't need to make these unnecessarily complicated, since option 1 will work just fine.

HTH

0 Helpful

ruch
Level 1
Level 1
In response to Reza Sharifi

‎03-28-2023 07:11 AM

Hi Reza,

Thank you for the reply, 

I have small doubt with that option. In the event of uplink port failure of the primary core switch, would the traffic flow via secondary core switch to the secondary firewall. 

Thanks

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to ruch

‎03-28-2023 07:41 AM

Hi,

It should work just fine. Remember the firewall that is in passive mode is just on standby and not passing any traffic and just waiting for the primary to fail so it can take over. So, basically the link between the primary switch (we call it switch-1) and the primary firewall (we call it FW-1) is active and passing traffic. Now, if the primary firewall fails, the traffic should shift over to the standby FW. In a case where a switch-1 fails, the traffic should simply go out switch-2 to FW-2.In order for this to work correctly you have to configure link tracking on the firewalls so when the link between switch-1 and FW-1 fails, the traffic shifts over to FW-2 and switch-2. Obviously, any design should be thoroughly tested to make sure everything works as expected before going into production.

HTH

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Reza Sharifi

‎03-28-2023 07:44 AM

I will run lab and confirm my solution. 
the ASA active/passive or active/active can connect PO to SW stack. 

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎03-28-2023 07:55 AM

As far as I can tell, the OP is not using ASA.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card