Solved: Re: Switch between ISP Modem and Firewalls

gfrazier · ‎03-30-2022

I haven't done this before, but I am sure this has been done on several occasions:

I have a client that has only 1 IP Address and limited ports to his ISP's modem - they want to setup a redundant Firewall (MX105s)... they want to place a switch in between to make this possible.

I don't think this is a good idea due to adding a single point of failure into the WAN setup and I think the cost of using a switch is more than it would to just get another static IP... however... this is what they want... Any Suggestions?

CMR · ‎04-01-2022

We always get at least 3 IPs so it is just for the physical switch, if you only get one IP then I'd get a basic router to NAT the WAN interfaces of the MXs, we do this where we have to have a VDSL circuit as you'd need a modem anyway so might as well get the ISP to provide a router that also gives you multiple IPs.

If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

101100101 · ‎03-30-2022

If you have a switch stack southbound of the MX pair just have the ISP come in on one of those. If there is only a single port available on the ISP modern there is still the lack of redundancy if the switch it is plugged into fails, but you would at least be able to swing it over easily.

MarcP829 · ‎03-30-2022

limited ports sound like limited LAN ports = at least two ?

If so, why a switch? Use VRRP on the Merakis and connect them to the router.

If you have only one ISP Router lan port, I´m going with @101100101 , possible - problem if the switch got fails.

Karsten Iwen · ‎03-30-2022

For HA you ned two public IPs as the secondary device also needs internet-connectivity. And yes, if the ISP device only has one port, you need a switch between these devices.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

PaulMcG · ‎03-31-2022

Two public IPs are a minimum with an HA setup but if you want to use the VIP option, a 3rd public IP is also required.

CMR · ‎03-31-2022

We always put a switch in between the ISP NTE and our firewalls as in the UK you only ever get one port per service. I generally use Cisco small business unmanaged L2 switches and have had great reliability with them. We don't count it as a single point of failure as we have two ISP connections at each site 😉

If my answer solves your problem please click Accept as Solution so others can benefit from it.

JonP · ‎04-01-2022

We've recently done this due to a flapping port on either the MX or the ISP router. We used an HPE Aruba switch with no config. Works well!

gfrazier · ‎04-01-2022

So, how exactly do you configure a switch port for a WAN port then the others uplinked to the Firewalls when you just have one ISP port and one IP?

CMR · ‎04-01-2022

We always get at least 3 IPs so it is just for the physical switch, if you only get one IP then I'd get a basic router to NAT the WAN interfaces of the MXs, we do this where we have to have a VDSL circuit as you'd need a modem anyway so might as well get the ISP to provide a router that also gives you multiple IPs.

If my answer solves your problem please click Accept as Solution so others can benefit from it.

redsector · ‎04-06-2022

Wo do it the same way.

Or we use an existing Meraki switch, configuring an own VLAN to the three ports: ISP, MX1 and MX2, it´s working like an small switch, but the advantage is: it´s managed.