07-12-2022 07:05 AM
Hello,
I would like to have your support to define the best architecture with our equipment. Currently, we have
- 1 cluster of firewalls with 2xWathguard (with 4x10Go extension module embadded)
- 1 stack with 2xCatalyst C3850-12s (without 10G module but we can buy it if it's always possible)
- 1 stack with 2xCatalyst 9200L 48 ports with module 4x10Go/switch
- 1 stack with 2x9200L (with module 4x10Go) used for end users connexions (in the same room than the other switches)
- 1 stack with 2x9200L (with module 4x10Go) used for end users connexions (in a seperate room)
- 1 switch C2960x (10/100/1000)
Based on this inventory, if you need to define an architecture from scratch, what is for you the best architecture with good performance and redundancy ?
BR
07-12-2022 04:36 PM
Your Firewalls facing your ISP, then connected to your firewalls you would have the C3850 Stack as the collapsed Distribution/Core where all your Routing should happen. Then have all the C9200L and the C2960X connected to the C3850 Stack, so the C9200L and the C2960X would be your Access Layer Switches. Try to keep all links between the Switches with at least one 10G link (maybe 2 10G links on a Portchannel for redundancy).
07-13-2022 12:27 AM
Hello
Thank's for your feedback. Is the following diagram is correct based on your recommandations ? I just change the c2960x to be used as the switch connexion between our 2 ISP routers (we have 2 providers) and firewalls.
My objective is to have redudency and performance with our current equipment. All equipment have 10G module except C3850 (I will se to buy it). Is-it the best configuration for you even if I mixt vlan directly created on C3850-12s or on WatchGuard depending if the vlan must be isolated ?
BR
07-13-2022 07:17 AM
Looks good, having the 10G links between the Switches will give you performance (if possible get 2 10G links between the Switches on a Portchannel), and having the Switches on a Stack will give you additional redundancy. If you go for the 2 10G links and build Portchannels then try to have 1 10G link on SW#1 of a Stack and the other 10G link on SW#2 of that same Stack.
I see your diagram has portchannels from the C2960X to the 2 Firewalls (one leg of each portchannel to each Firewall). If the Firewalls can act from the control-plane perspective as a single device then that setup will work, if they do not work as a single device then the Portchannel to the C2960X might show errors or might just work on 1 link to one of the Firewalls. Try to build first the Portchannel with LACP between the Firewalls and the C2960X, if it does not works (or only works on 1 link) then do not force it with mode ON on the Portchannel as it will get you problems later.
Same goes for the Portchannels between your Firewalls and the C9200 / C9200L / C3850 Switches, as long as those pairs of Switches are on a Switch Stack then no problem on having a 2 link portchannel to a single Firewall. If you build the Portchannels with 1 leg on each Firewall then need to make sure the Firewalls act as a single device from the LACP perspective.
Could you elaborate a bit more on your last question? when you mentioned "Is-it the best configuration for you even if I mixt vlan directly created on C3850-12s or on WatchGuard depending if the vlan must be isolated ?"
07-13-2022 09:10 AM
Added new infrormation ; dûe to a too big cost for the 2 modules for C3850-S, I can't buy it... so I can't have 10G connexion on C3850, only on C9200 and on the FW....
07-13-2022 09:27 AM - edited 07-13-2022 10:06 AM
Understood. No problem. Then on the C3850s do you have a C3850-NM-4-1G for the Uplink connections ? Or perhaps you are planning on using some of the 12 1G fiber ports on those couple of C3850s to connect that Switch Stack to the Firewalls? On both of those cases see below:
If 10G cannot be done on the C3850s then you could also have a Portchannel of 4 1G links from the C3850 Switch Stack to your Firewalls. Here again, if the Firewalls act as a single device from LACP perspective then your Portchannel could be 2 legs of 1G to Firewall #1 and the other 2 legs of 1G to Firewall #2. If the Firewalls do not act as a single device from LACP perspective then you could have 2 separate Portchannels of 2 1G links (one separate Portchannel to each Firewall).
Not having the 10G links on the C3850 could lead to output drops on the links connecting to the Firewalls. So could be good as well if you can add these to your C3850 Switches (same for the C9200 and C9200L Switches):
configure terminal
qos queue-softmax-multiplier 1200
qos queue-stats-frame-count
do clear counter
port-channel load-balance src-dst-mixed-ip-port
end
clear counters
Quick Note: I mentioned building Portchannels between the Firewalls and the C3850 Switch Stack assuming that the Firewall ports (even if all are 10G) maybe are also capable of running at 1G.
07-14-2022 02:58 AM
Hello,
Just another information : our firewall cluster is configured in active/passive mode. Regarding connexion between fw and 2960x or beteween fw and 3850, is this configuration designed in my schema is correct for performance and redundancy if one node of fw or c3850 is down?
BR
07-14-2022 06:55 AM
"is this configuration designed in my schema is correct for performance and redundancy if one node of fw or c3850 is down"
Yes, the way you have placed the Portchannels on your diagram will cover the redundancy part, however that depends on the Firewalls. As in, the Firewalls can be configured in active/passive mode as you mentioned but for the Portchannels to work the Firewalls need to act as a single device from the LACP perspective for those Portchannels to be valid.
Now about performance, since you cannot have 10G between all devices (because the C3850s only will have 1G), while it is not optimal you can still work with it, having 10G links where you can and on the links where you cannot have 10G then you could have 4 ( or even 8 ) links of 1G on a Portchannel and add the QOS commands I shared to reduce output drops (if any).
07-15-2022 01:58 AM
Hello
Thank for your feedback. What is your opinion about this new design ? I usesd the 9200 to connect with FW to be able to use 10G connexion between firewall and switches.
Between the first version or this one, which version should be better for your ? I don't know if the 9200 switches are able to manage trafic with the firewall and with our servers (ours servers will be connected on it via RJ45 wired connexion).
What is your feeling ?
BR
07-19-2022 01:13 AM
Hello
Some comments regarding this new version of our design ? Or the first version remains the best solution..?
BR
07-14-2022 03:22 AM
Those Catalyst switches are going to get smashed and smashed good.
07-20-2022 05:58 AM
Hello
Some comments regarding this new version of our design ? Or the first version remains the best solution..?
BR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide