Networking question - Page 2

Bob Boklewski · ‎05-13-2013

So, I have a situtation and trying to find the best solution here. I have one internet connection connecting through to our ISA570 Firewall I need to use for failover for another network coming in. We are being supplied with two routers, one router will use a primary internet line coming in the next month and then the second should failover to our other internet connection. The company supplying the routers will not support going through our firewall and they need to make a site to site vpn through our internet connection as a failover. I am not even sure you could even do a static NAT to their router from our firewall for a site to site link, I have always assigned the ip directly to the interface. Anyway, so, we need to give them a public ip address and assign it to their router that they are using to failover to our internet connection. Our isp has a router with an extra interface, which they won't let us enable and use for this failover router to hook into. So, I think I am just left with putting a switch between our isp and our firewall to be able to hook in the failover router to be able to assing them one of our public ip addresses. I just don't know if we should just get a dumb switch or what? And how can I manage the switch if it is sitting in the public ip range? Do I have to assign the management ip a public address, assuming so.

Any help is much appreciated.

Elton Babcock · ‎05-17-2013

You may be over thinking this. Just think of a group of ports in the same VLAN that are in "access" mode similar to what you would with a dumb switch. That dumb switch doesn't care about VLANs and you can plug a router from your ISP into that. It is the same thing with these ports.

Think of the group of ports as a totally separate dumb switch that you plug all of your public facing devices into. The management IP is stictly so you can manage from your internal subnet.

Access ports dont care what VLAN they are in. You can take any VLAN numbered port that is an access port and plug it into another VLAN numbered port that is an access port and it will pass traffic. Not best practice but it works.

It also isn't best practice to have the same subnet live in two different VLANs. This can get very confusing and also routers won't let you have the same subnet off of two different routed ports if you ever needed to do this.

Bob Boklewski · ‎05-17-2013

Yeah, I was overthinking this. I kept getting this in my mind. If it doesn't matter if the ports are in different vlans and in switchport access mode, then why can't I ping between devices on a switch configured in this scenario. The answer is they aren't directly connected. To prove that I did what you said and I took two switches and configured one port as vlan 1 and the second in vlan 2 in access mode and connected them, then connected a device off each switch in the same subnet and put one device in each vlan and they were able to ping each other.