Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
669
Views
0
Helpful
2
Replies

Virtual Switch Stack connections to Edge Network

Go to solution
Will Hrudey
Level 1
Level 1

‎02-10-2016 05:13 AM - edited ‎03-08-2019 04:32 AM

Hi All,

I have a pair of SG500 switches stacked together as a part of my collapsed core design. I would like to connect this stack to the edge network which is comprised of two Dell Firewall/SonicWall 2400 HA peered nodes.    The switch stack can be viewed as single multilayer switch for the purpose of this issue.  The Dell firewall nodes are configured in a HA peering mode which means they have a dedicated Ethernet connection between the two peered nodes for heart beats and config syncs only - no data traffic flows will be passed.   In this HA scheme, these Dells obviously need to each run the same config and have the same physical connections in order to failover over transparently.    The HA config requires each of these Dell nodes to have an IP on the *same* subnet along with a virtual IP on that same subnet.  The standby Dell HA peer will keep the Ethernet interface up as well.  My switch stack only supports static routing.

That said, I wanted my collapsed core to design (switch stack) to connect to this edge network (Dell SonicWall firewall nodes) using L3 connections - a Cisco best practice - one from each switch in the stack to each SonicWall firewall.   However, that would require that I setup routed ports on the switch stack on the SAME subnet ... which you obviously can't do because the individual switch (L3) port subnets overlap.

These Dells (the version I have) don't support link aggregation or VRRP. :-(

It seems as though my ONLY option is to run trunks from the switch stack to each Dell Sonicwall HA node and create sub interfaces on it for interVLAN routing.  This is NOT a desirable option however because i wanted to keep the core switching / routing within the switch stack instead of impressing interVLAN routing and other core services on the edge network.   But I don't see a way around this.  

Am I missing something?  Any thoughts on how to overcome this with L3 links from the switch stack to the Dell HA nodes without adding intermediate hardware?

Thanks !

/wh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-12-2016 03:30 AM

The Cisco best practice to use L3 links is to use them where you can but if you can't use them then it's fine.

With a pair of firewalls you need them to be in the same subnet so you have to use L2 links and you would have to do this even if your firewalls were ASAs.

This doesn't mean it is bad design, it is the design you have to use.

You should use a new vlan purely for the connectivity between your core switches and the firewalls and the ports on your switches do no need to be trunks, just make them access ports in that vlan.

Then add a default route to the switch stack pointing to the firewall VIP and routes for the internal subnets on the firewall pointing to the SVI for the vlan on the switch.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-12-2016 03:30 AM

The Cisco best practice to use L3 links is to use them where you can but if you can't use them then it's fine.

With a pair of firewalls you need them to be in the same subnet so you have to use L2 links and you would have to do this even if your firewalls were ASAs.

This doesn't mean it is bad design, it is the design you have to use.

You should use a new vlan purely for the connectivity between your core switches and the firewalls and the ports on your switches do no need to be trunks, just make them access ports in that vlan.

Then add a default route to the switch stack pointing to the firewall VIP and routes for the internal subnets on the firewall pointing to the SVI for the vlan on the switch.

Jon

0 Helpful

Go to solution
Will Hrudey
Level 1
Level 1

‎02-16-2016 11:16 AM

Just a brief clarification on expected behavior.

So if I make the stacked core switch uplinks to the pair of Dell firewalls access ports associated with a dedicated Edge-network vlan (vlan 50).  Then in terms of outbound frames and switching behavior from the virtualized machines out to the WAN side of the firewalls, the outbound frames from the Hyper-V servers will reach the switch stack over the trunked multichassis etherchannel, and then pass up to layer 3 on the switch stack (given that its behaving like an interVLAN router), then the stack routing table will have the default route pointing to the Dell firewall VIP to which the switch stack has an SVI presence on, which is associated with vlan 50, and the two uplinks, one from each node in the switch stack that leads to each Dell firewall, will be configured as switchport tagged as vlan 50.  So the switch stack will actually pass the outbound traffic destined for the WAN across BOTH access ports.   Thus, the outbound traffic will arrive at the uplink LAN NIC on each of the two Dell firewall peers which is fine because only the active Dell firewall node will process the ingress traffic and the standby Dell firewall will drop it.

That said, I just wanted to confirm the switching behavior.  seem about right?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card