IKtech
asked on
redundant networking equipment
I have two firebox devices, both are xtm 5s. I also have two cisco switches sg 300s. The firebox devices can be setup in a firecluster as active/active or active/passive. This means that the two devices have an identical configuration on them and if one dies the other one is ready to go.
On the switches, I have four vlans setup. One is for my LAN (anything on the internal network as well as one firebox int for a gateway), the second is the DMZ (external facing web servers are plugged into this vlan and a separate int on the firebox for the DMZ gateway) the third vlan is external which is where the cable from the IAD (internet access device from internet service provider) and also a third interface for the firebox. The fourth is for the cluster interfaces (this is the how the fireboxes talk to each other).
basically what i want to do connect the switches together so that the fireboxes have a vlan for the firecluster and if one switch dies the other provide redundancy.
Right now i am struggling with how to setup the vlans. I have 4 ports on each switch for external vlan, 5 ports for dmz, three ports for the cluster vlan and the rest of the ports on the LAN. For the LAN vlan i am using the default vlan 1. i also have one port setup on each switch that connects the two switches. the interconnect is setup as a trunk with the default vlan untagged and the rest of the vlans tagged. for all other switch ports it is untagged for one of the four vlans (depending on what is plugged in).
Does this sound like it should work? i know this setup is a bit strange but i would love to have the built in redundancy. Any advice is appreciated!!!!!!!
On the switches, I have four vlans setup. One is for my LAN (anything on the internal network as well as one firebox int for a gateway), the second is the DMZ (external facing web servers are plugged into this vlan and a separate int on the firebox for the DMZ gateway) the third vlan is external which is where the cable from the IAD (internet access device from internet service provider) and also a third interface for the firebox. The fourth is for the cluster interfaces (this is the how the fireboxes talk to each other).
basically what i want to do connect the switches together so that the fireboxes have a vlan for the firecluster and if one switch dies the other provide redundancy.
Right now i am struggling with how to setup the vlans. I have 4 ports on each switch for external vlan, 5 ports for dmz, three ports for the cluster vlan and the rest of the ports on the LAN. For the LAN vlan i am using the default vlan 1. i also have one port setup on each switch that connects the two switches. the interconnect is setup as a trunk with the default vlan untagged and the rest of the vlans tagged. for all other switch ports it is untagged for one of the four vlans (depending on what is plugged in).
Does this sound like it should work? i know this setup is a bit strange but i would love to have the built in redundancy. Any advice is appreciated!!!!!!!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@mike
So for the vlans instead of using the default vlan 1 for LAN, i could use another vlan i create and then setup access ports (for devices and servers) as untagged for the correct vlan and then for the trunk ports that connect the switches together, use tagged for all vlans and untagged for default vlan 1.
Does that sound correct? If i use untagged access ports, will the fireboxes need to know about the vlans? i'm guessing no but i am not certain.
So for the vlans instead of using the default vlan 1 for LAN, i could use another vlan i create and then setup access ports (for devices and servers) as untagged for the correct vlan and then for the trunk ports that connect the switches together, use tagged for all vlans and untagged for default vlan 1.
Does that sound correct? If i use untagged access ports, will the fireboxes need to know about the vlans? i'm guessing no but i am not certain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I got things working!! I have the clustering working over the switch too because if a switch dies that the primary firewall is plugged into the secondary firebox will not take over as the primary since both device are still alive and well. Right now it looks as if i can lose one device and the network will keep running as if nothing happened. Thanks for the help!!!
Also, it's better not to use the default vlan for your LAN, or for anything. It's a security risk.