Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

firewall at layer 2

Posted on 2014-02-15
3
Medium Priority
?
315 Views
Last Modified: 2014-03-02
I run hsrp at my core and we want to add two firewalls for redundancy purposes (see pic)net diagramThe vendor told me that the firewalls will be using its HA feature. In other words, the two firewalls will have the exact configuration and they will backup each other. They can be seen as one firewall and have a virtual IP address 10.20.20.100. The vendor also said that the link between the firewalls and the core switches will be layer 2. Now I am not sure what to think of this as my core switches are layer 3 switches. They will have a default gateway pointed to the firewall virtual IP address. Does anybody have this type of setup? If yes, does it work ok?

Thanks
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 9

Accepted Solution

by:
ffleisma earned 668 total points
ID: 39862246
yes this setup is fine.

based on your diagram the FW-Core linke will be on switchport access VLAN 100. With the FW having static routes pointed to next-hop core switch "interface vlan 100" SVI interface for internal private IP addresses (10.x.x.x, 172.16.x.x, 192.168.x.x).

although i guess another design. have the FW-core uplink as trunk port on the core switch.

The purpose of this is that in case you need to create sub-interfaces on the FW, the core switchport will be ready as it is already configured as trunk.

let me know if you have any further question. hope i can help!
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 668 total points
ID: 39863729
If you have a " layer 3 switches" then you have a  L2 device that also support L3 functions.

So as fflesima stated, your setup is fine.
0
 
LVL 8

Assisted Solution

by:gsmartin
gsmartin earned 664 total points
ID: 39863956
As the others indicated this configuration is fine.  This is a typical Active/Passive Layer 2 HA Firewall configuration.  This is not an active/active HA configuration that typically requires a load balancer to manage/direct L3 traffic, which is over kill for most environments.

As part of the configuration is a link that connects the two firewalls together to transfer configuration changes and provides heartbeat detection between the primary and failover firewalls. If the failover firewall fails to communicate with the primary firewall due a failure the failover firewall takes over the primary role and assumes the primary firewall's configuration and MAC/IP addresses (L2/L3).

I hope this gives you a little better understanding of how this configuration operates.
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Make the most of your online learning experience.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question