Setting Up a WAN

Here is what our network looks like now:

School A - A core switch (10.1.2.51 - Procurve 5412zl) which does all the routing
Sonicwall  - 10.1.2.50 where the internet comes from (into X1)
Two subnets - 10.1.2.xxx (512 IPs) = wired LAN - VLAN1
                       10.2.1.xxx (512 IPs) = wireless LAN - VLAN30
Filter - 10.1.2.18 (filters all traffic, pretty much only adult content)
Other misc. servers, etc.

School B - A core switch (10.5.0.11 - Procurve 5304xl) which does all the routing
Sonicwall  - 10.5.0.10 where the internet comes from (into X5 for some reason)
Two subnets - 10.5.0.xxx (512 IPs) = wired LAN - VLAN50
                       10.6.0.xxx (512 IPs) = wireless LAN - VLAN60
Other misc. servers, etc.

Now, we are going to have a Fiber WAN setup between these two schools.  School A will be the Hub and School B will be the spoke.  Our ISP says it should be setup like a PTP between the two.  

Some questions:

I'm going to come out of School A right into the current School B core switch bypassing the current School B firewall completely, right?  Because the Firewall at School A will takeover all of that.  

What do I need to add to the School B core switch so that any non-School B packets (like the internet) will be passed back to School A (which the WAN will come from)?

The ISP engineer also said that I needed to make sure that what was coming from School B into the School A core switch port - I had to make sure THAT port included all the subnets (something about a "on a stick")?

Thanks!
larry22Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi larry22,

What models are the firewalls?

You could run the fiber into another WAN port on the Interface, then just a site to site VPN between the two firewalls. The firewalls should be setting up the VLANs anyway using PortShielding. And w/CGSS you can do all the mature filtering in each firewall as well for each location as well.

Then you can control access to whichever VLAN you desire.
0
larry22Author Commented:
Diverseit -  Wouldn't it be far preferable to treat it like a ptp WAN and have the core switch doing the routing rather than VPN connections between two SonicWALLs?  I could bring School B's SonicWALL down to School A for high availability.  This is dark fiber running between two buildings.
0
Blue Street TechLast KnightCommented:
I'm a little confused about the terminology used here...it sounds like some of it is misunderstood.

What is the ISP protocol used here: Metro Ethernet, MPLS, ATM...?

The only way to run Fiber in a Hub & Spoke configuration is through SONET using ATM. This is like ~$250k for this type of switch. The only way you'd want it setup like this is if both networks were on the same subnet or the same LAN, but in any case its a pretty superannuated setup. Metro E would be a better option here if you are doing this type of setup.

The type of setup I'd recommend here really comes down to one question…do you trust the Telco/ISP providing the fiber? If you don’t trust them and/or need better security go with WAN to WAN (you could even bypass the site-to-site VPN), just plug in each end into a port on the SonicWALL and assign it as a WAN port. If you trust the Telco/ISP, then go with the PTP route.

Take a look at this, it will give you some insight on how you can utilize a VPN if you decide to go the PTP route: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=8445

Keep in mind if there is no or little trust with the ISP, all your data traveling on fiber is susceptible to Man-In-the-Middle attacks and if someone puts on Port Mirroring…they'd see everything and you’d never know.

Just an FYI: If you are using Fiber...it's not called Dark Fiber. Dark Fiber is unused Optical Fiber. It refers to the potential network capacity of telecommunication infrastructure. If you’re using Fiber is just called Fiber or Optical Fiber or Fiber Optics.

Make sense?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Blue Street TechLast KnightCommented:
Any update on this? Can I clarify anything for you? Just let me know. Thanks!
0
larry22Author Commented:
I guess I understand.  I just thought the whole point of a WAN would be that we could use one filter, one firewall, one DHCP server (eventually), one DNS server (eventually), etc.
0
Blue Street TechLast KnightCommented:
If you want to join both networks you can do that with PTP. As I suggested I'd use Metro E though as its more beneficial.

Here is a topology image to help better understand what I'm saying (attached).
KBID8445-NWDiag.jpg
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.