Showing results for 
Search instead for 
Did you mean: 

Will you also get a second

Will you also get a second Internet circuit? If so, then you could think about something like this (attached)...

I'm only familiar with Cisco and Fortinet firewalls. In my experience they are most reliable and easy to manage in active/standby mode with a L2 broadcast domain shared across the 'outside' interfaces, and same across the 'inside' interfaces, hence two pairs of stacked switches.

You might need to run BGP on the 'outside' switch stack and peer with the ISP routers, but there's lots of ways of doing this. Maybe start a new thread on the WAN section.

This is just to give you an idea by the way. You still need to think it through yourself and work out if it's feasible and right for your needs.

You should think through how traffic will be forwarded and in each direction. Outbound traffic in the attached example network could flow like this:

  • Gateway for clients is an VLAN SVI on the connected 4500 switch.
  • Gateway for sw1/sw2 is an SVI on the 'inside' switch stack.
  • Gateway for 'inside' switch stack is the active firewall's inside interface.
  • Gateway for active firewall is an SVI on the 'outside' switch stack.
  • Gateway for 'outside' switch stack is learned via BGP from ISP router with best attribute.

Thanks, Shillings.

Thanks, Shillings.

No, I will just have the single connection and, at the moment, I just have one Checkpoint firewall with 2 LAN ports, one unused at the moment.

We will not be getting any additional switches so I can't do what you showed in your visio drawing, though i like the design.

I have to work with what I have:

2 4510R+E with dual WS-X45-SUP8-E Supervisors.

So, I guess my options are 2 standalone switches, HSRP, or VSS Quad SUP.

Any other suggesstions for what I have to work with? Does adding a connection from the other switch to the single firewall change things? Or adding a second firewall later?

I realize that a tiered design is ideal, but it would be a shame to not take advantage of the (8) Ten Gigabit Ethernet connections I have.


If you can't buy more kit

If you can't buy more kit then I'd leave the single firewall connected to one 4500 for now. It's worth using the spare firewall interface and running an EtherChannel to the same 4500, but terminating on different linecards.

You 'could' VSS enable the 4500s and uplink the Checkpoint to both switches but I'd advise against it for reasons already explained.

I'm not sure what you're going to do when the second firewall arrives. I never design a solution with firewalls that failover using dynamic routing protocols. I could never get it to work very smoothly in the lab and our deployment engineers don't like it either. Maybe your circumstances just need more thought to come up with a good solution.

Please don't take this the wrong way but it sounds like your company needs some pre-sales help to design a solution rather than just buying new boxes without any plan. Or perhaps someone has a plan but they are keeping it a closely guarded secret :)

Good luck.


Well, we got a very good deal

Well, we got a very good deal on purchasing a second 4510, when it came time to trade in the old one that reached EOL. Too good to pass up. Since we have more phones/PCs than POE ports on a single chassis (also thinking of future growth), I was told to split the client connections between them, connect them together using the 8 Ten Gig connections, bundled in an etherchannel, and set up HSRP so data can pass across the 10 Gig bundle (if the client is connected to the other switch), and then out the connection to the firewall. I'll be doing L3 Switching (all routing has been done on the Checkpoint up until now) and having the client's gateways set to .1 of their VLAN, which I was thinking would be the virtual IP from HSRP, until I saw that my switches qualified for VSS and then I could manage both switches at the same time, similar to a 3750 stack, and still point the clients to a single gateway IP, regardless of which switch they were plugged into.

But I wasn't sure which method was better (HSRP or VSS)...and here we are :)


I think you have all the info

I think you have all the info now to make a decision. Unfortunately, none of the options are perfect:

  • If you use VSS then you'll be going outside the design guidelines and traffic will be using the VSL during normal operation.
  • If you use HSRP then you'll need STP and one uplink will be blocked. If Sw1 dies then all clients lose Internet access.
  • If you dual-home to the same 4500 then you've arguably got less redundancy. Again, if Sw1 dies then all clients lose Internet access.

Using the scenario of switch

Using the scenario of switch-1 dying and all clients going down with it, is a tough sell, since we have been relying on a single 4510 for the past 9 years without problems.

You're saying...if I use HSRP, I need to set up the 10 Gig links with STP?

How do users dual-home to the same switch?

Sorry...I'm starting to get confused.


I thought you were intending

I thought you were intending to dual-home some endpoints, presumably servers, although there are none shown on your diagram? If you're not dual-homing anything then why the need for HSRP? Why not simply route between the two 4500s? Or are you needing to span VLANs?

I'm confused too :) On the one hand you're saying that you've being using a single 4500 without issue for 9 years. On the other hand you're saying that failure of this switch is no longer acceptable because sw2 users will lose Internet connectivity. Surely there's no change there then - i.e. if sw1 dies then all Internet connectivity is lost. Maybe I've misinterpreted your last post...


I don't recall saying that

I don't recall saying that failure isn't acceptable. In the last post, I said that it would be a tough sell to the powers that be, seeing as we've been fine for the past 9 years. Meaning...I'm all for it, but it will be hard to convince those that approve purchasing of that, given the history. Perhaps that's what you referring to. I apologize for the confusion.

I can connect dual connect the ESXi servers to both switches. That's fine. Sorry...I thought you were referring to the PCs (clients) when you first said dual-home.

I guess I'm just trying to find the best way to route packets for clients connected to both switches, as well as the ESXi servers, out to the internet and across the 4500's if need be, and was hoping to be able to work some HSRP or VSS magic to my advantage somehow.



There are now updates to this

There are now updates to this design, to include an additional Checkpoint Firewall. We also have a few Cisco SMB SG300-28MP switches that were once used for a temporary space and I'm wondering if these could be used as access layer switches with redundant up-links to our 4510R+E Collapsed Core switches and then can someone tell me if Quad-SUP VSS or HSRP is the better choice.

Would using the SG300-28MP switches degrade performance compared to connecting all of the client PCs and phones directly into the 4510R+E's?

An upgraded network diagram is attached.

I am still trying to find a proper solution to this if someone can help. Thanks very much, in advance.


Would have to know what

Would have to know what specific model of line cards you have for user termination on the 4500s, but there is a high probability that those cards have significant buffer and QoS queuing advantages over small business grade switches.  What model are they, since those low end switches do offer PoE+.  That being said, if you are not running IP based security cameras, ultra high end video phones, or the newest APs Cisco offers where going beyond 16w is needed for all radios to be enabled, it likely doesn't matter.  History "keeps" teaching me and the companies I have worked with that the less SMB equipment you run, the more likely you are to achieve enterprise levels of up time consistency.  Depending on your users and what they are doing behind those switches and what your user equipment looks like, there may be noticeable difference to them; so, it may just be about your sanity and what you have to support.  The more complex and inconsistent you are with parts quality, the less time you will have between putting out fires.


Thank you very much for the

Thank you very much for the response.

The line cards are: WS-X4748-UPOE+E.

So, now that my plan will include two firewalls in the future, as opposed to the original posting here with only a single firewall, does it make sense to run Quad-SUP VSS or HSRP on the 4510R+E's with the client PCs, Phones, and the servers connected directly to the 4510's?

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards