cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1235
Views
0
Helpful
6
Replies

Firewall-Switch-NAS help

H_A
Level 1
Level 1

Hello, 

 

I am trying to setup a lab and running to an issue planning out the implementation. I am seeking feedback and suggestions on drawbacks and/or faults in the concept. 

 

My goal if possible is

 

I have two L3 capable switches (48 port switches) and would like to segment two ports on each switch to a specific VLAN. I would then connect the matching ports on the switches. I would then like to connect the second switch in the row to a Synology NAS using a 5th port for that VLAN. The interface vlan ip address would be on the same subnet as the synology interface. I would like to use two synologies in this lab. Before traffic comes into the switch it will be go through a firewall configured with subinterfaces to carry the traffic for the vlans (i know a single point of failure, how can I avoid this).

 

I am new to this and hope I am explaining my issue clearly.  

 

1 Accepted Solution

Accepted Solutions

Ok, so if I'm not wrong everything should look like the diagram I labeled as "example", if that is the case and you are concern about the single point of failure (red cable) between the firewall and switch one I will recommend this:

 

Link both switches using stack cables and that way both switches can act as one allowing you to configure a port-channel transferring the single point of failure to the firewall (because you only have one).

If you do not have stack cables, the solution is pretty much the same, but instead use only ONE switch, since the second one is not adding any real value to the design.

 

Hope this helps.

Rolando A. Valenzuela.

 

 

View solution in original post

6 Replies 6

I was trying to draw your connections, but I'm not sure where is going to be the firewall or the second NAS, after have a better picture I can help you :)
Now, I'm assuming the single point of failure is between the switch and the firewall (only one cable)... are this stackable switches?

 

Regards.

Rolando A. Valenzuela

Top down
Firewall-switch 1 - switch 2 - NAS
Yes they are stackable but i was going to daisy change them unless it is better to stack them. 

Ok, so if I'm not wrong everything should look like the diagram I labeled as "example", if that is the case and you are concern about the single point of failure (red cable) between the firewall and switch one I will recommend this:

 

Link both switches using stack cables and that way both switches can act as one allowing you to configure a port-channel transferring the single point of failure to the firewall (because you only have one).

If you do not have stack cables, the solution is pretty much the same, but instead use only ONE switch, since the second one is not adding any real value to the design.

 

Hope this helps.

Rolando A. Valenzuela.

 

 

As I am assuming your devices connected to 

Firewall----> Switch 1 -------> Switch 2 --------> NAS 1, 2

 

and routing (InterVlan) is configured on the firewall. 

 

My Suggestion:

 

your Intervlan routing must be on Switch1 (L3) so your local LAN traffic will not reach Firewall and it saves the firewall resources.

 

configure L3 link between Firewall and Switch 1 as your LAN network Uplink. One more thing Now your Switch 1 is the gateway to your all system.

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Thanks Rolando

 

I will just go with the ONE L3 switch connecting to NASs and bundled line to firewall for redundancy. 

I will put the switch ports in different vlans to isolate the paths. 

 

The vlan interface will be the default route for the NAS and the NAS interface will have an IP on the same subnet. 

 

I will try to create a static NAT entry from private to a specified public per NAS. So, the traffic can be isolated bi-directionally. 

 

btw what software did you use to build that diagram?

 

 

I dont know what you want to accomplish, but the solution sounds overkill, you can have two different IPs (NAT) using the same vlan and you dont need to deal with two interfaces on the firewall (just one bounded with in port-channel).

 

I used Microsoft Visio for the diagram.

Rolando A. Valenzuela.

Review Cisco Networking for a $25 gift card