Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
4
Replies

Switching options for HRSP and Firewall

Chris Ivy
Level 1
Level 1

‎01-15-2014 01:15 PM - edited ‎03-07-2019 05:35 PM

Hi All,

At our Colo center our ISP is giving us two lines.  Each going to their own router and are configured as HRSP.  I have two firewalls that will be running in HA mode as Active/Passive failover.  I need to connect the two lines first to a L2 switch and then out to the firewalls. 

I will be using a pair of switches for redundancy.  As I only need a few ports for this should I get two small switches, like something from the SG300 line and place them as WAN switches that go to the WAN side of the firewall? Or shoudl I just connect the lines to my existing LAN switches (cat 3650s) and then out to the firewalls WAN side and then back down to the switches from the LAN side of the firewall?

What makes better sence here?

Thanks,

Chris

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎01-15-2014 01:26 PM

Chris

Personally i think is using the same switches for the internal and external side of the firewall is a bad idea. It does come down to cost but if there was misconfiguration on your 3560 switches it could have unexpected consequences.

It does depend on what you what you do with the internet but basically if you connected your routers to the internal switches all packets from the internet hit your switch before they go to the firewall. So imagine if someone did a denial of service against the public IP of your firewall. All the traffic would first have to go via your internal switch and the firewall is there to protect your internal network in the first place.

Like i say it does come down to cost and it could be unlikely you would ever see problems but to my mind if the firewall is there to protect your LAN you should not allow traffic from the internet to go via your LAN to get to the firewall.

Others may see it differently though.

Jon

0 Helpful

Chris Ivy
Level 1
Level 1
In response to Jon Marshall

‎01-15-2014 01:32 PM

Jon,

This was my thinking as well.  The cost is not that much of a problem.  I'm curious as to what model of switchs I should use for this WAN side switching.  I'm use to the Cat serires but obviously dont need many ports.  Any recommnedations?

Thanks,

Chris

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Chris Ivy

‎01-15-2014 01:41 PM

Chris

I am exactly the same as you  ie. i am only used to the Catalyst switches so i can't really recommend any others. Obviously they only need to be L2 switches and probably don't need much functionality except basic vlan support. The only other consideration is the throughput needed.

If cost is not a problem maybe a pair of 6500s for future proofing

On a more realistic note if you want to stick with Catalyst switches you only need the most basic L2 model which should do everything you need. However there is a Small Business switches forum on CSC so you may want to ask there -

https://supportforums.cisco.com/community/netpro/small-business/switches?view=discussions

Jon

0 Helpful

mvsheik123
Level 7
Level 7

‎01-15-2014 01:29 PM

Hi Chris,

I would go with new switches. it is not recomended to connect extenal vendors (in your case- colo ISP) directly to your LAN.

Thx

MS

0 Helpful
Customers Also Viewed These Support Documents