• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 803
  • Last Modified:

Setting Up a WAN

Here is what our network looks like now:

School A - A core switch ( - Procurve 5412zl) which does all the routing
Sonicwall  - where the internet comes from (into X1)
Two subnets - 10.1.2.xxx (512 IPs) = wired LAN - VLAN1
                       10.2.1.xxx (512 IPs) = wireless LAN - VLAN30
Filter - (filters all traffic, pretty much only adult content)
Other misc. servers, etc.

School B - A core switch ( - Procurve 5304xl) which does all the routing
Sonicwall  - where the internet comes from (into X5 for some reason)
Two subnets - 10.5.0.xxx (512 IPs) = wired LAN - VLAN50
                       10.6.0.xxx (512 IPs) = wireless LAN - VLAN60
Other misc. servers, etc.

Now, we are going to have a Fiber WAN setup between these two schools.  School A will be the Hub and School B will be the spoke.  Our ISP says it should be setup like a PTP between the two.  

Some questions:

I'm going to come out of School A right into the current School B core switch bypassing the current School B firewall completely, right?  Because the Firewall at School A will takeover all of that.  

What do I need to add to the School B core switch so that any non-School B packets (like the internet) will be passed back to School A (which the WAN will come from)?

The ISP engineer also said that I needed to make sure that what was coming from School B into the School A core switch port - I had to make sure THAT port included all the subnets (something about a "on a stick")?

  • 4
  • 2
1 Solution
Blue Street TechLast KnightsCommented:
Hi larry22,

What models are the firewalls?

You could run the fiber into another WAN port on the Interface, then just a site to site VPN between the two firewalls. The firewalls should be setting up the VLANs anyway using PortShielding. And w/CGSS you can do all the mature filtering in each firewall as well for each location as well.

Then you can control access to whichever VLAN you desire.
larry22Author Commented:
Diverseit -  Wouldn't it be far preferable to treat it like a ptp WAN and have the core switch doing the routing rather than VPN connections between two SonicWALLs?  I could bring School B's SonicWALL down to School A for high availability.  This is dark fiber running between two buildings.
Blue Street TechLast KnightsCommented:
I'm a little confused about the terminology used here...it sounds like some of it is misunderstood.

What is the ISP protocol used here: Metro Ethernet, MPLS, ATM...?

The only way to run Fiber in a Hub & Spoke configuration is through SONET using ATM. This is like ~$250k for this type of switch. The only way you'd want it setup like this is if both networks were on the same subnet or the same LAN, but in any case its a pretty superannuated setup. Metro E would be a better option here if you are doing this type of setup.

The type of setup I'd recommend here really comes down to one question…do you trust the Telco/ISP providing the fiber? If you don’t trust them and/or need better security go with WAN to WAN (you could even bypass the site-to-site VPN), just plug in each end into a port on the SonicWALL and assign it as a WAN port. If you trust the Telco/ISP, then go with the PTP route.

Take a look at this, it will give you some insight on how you can utilize a VPN if you decide to go the PTP route: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=8445

Keep in mind if there is no or little trust with the ISP, all your data traveling on fiber is susceptible to Man-In-the-Middle attacks and if someone puts on Port Mirroring…they'd see everything and you’d never know.

Just an FYI: If you are using Fiber...it's not called Dark Fiber. Dark Fiber is unused Optical Fiber. It refers to the potential network capacity of telecommunication infrastructure. If you’re using Fiber is just called Fiber or Optical Fiber or Fiber Optics.

Make sense?
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Blue Street TechLast KnightsCommented:
Any update on this? Can I clarify anything for you? Just let me know. Thanks!
larry22Author Commented:
I guess I understand.  I just thought the whole point of a WAN would be that we could use one filter, one firewall, one DHCP server (eventually), one DNS server (eventually), etc.
Blue Street TechLast KnightsCommented:
If you want to join both networks you can do that with PTP. As I suggested I'd use Metro E though as its more beneficial.

Here is a topology image to help better understand what I'm saying (attached).
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now