Solved

firewall at layer 2

Posted on 2014-02-15
3
286 Views
Last Modified: 2014-03-02
I run hsrp at my core and we want to add two firewalls for redundancy purposes (see pic)net diagramThe vendor told me that the firewalls will be using its HA feature. In other words, the two firewalls will have the exact configuration and they will backup each other. They can be seen as one firewall and have a virtual IP address 10.20.20.100. The vendor also said that the link between the firewalls and the core switches will be layer 2. Now I am not sure what to think of this as my core switches are layer 3 switches. They will have a default gateway pointed to the firewall virtual IP address. Does anybody have this type of setup? If yes, does it work ok?

Thanks
0
Comment
Question by:leblanc
3 Comments
 
LVL 9

Accepted Solution

by:
ffleisma earned 167 total points
ID: 39862246
yes this setup is fine.

based on your diagram the FW-Core linke will be on switchport access VLAN 100. With the FW having static routes pointed to next-hop core switch "interface vlan 100" SVI interface for internal private IP addresses (10.x.x.x, 172.16.x.x, 192.168.x.x).

although i guess another design. have the FW-core uplink as trunk port on the core switch.

The purpose of this is that in case you need to create sub-interfaces on the FW, the core switchport will be ready as it is already configured as trunk.

let me know if you have any further question. hope i can help!
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 167 total points
ID: 39863729
If you have a " layer 3 switches" then you have a  L2 device that also support L3 functions.

So as fflesima stated, your setup is fine.
0
 
LVL 8

Assisted Solution

by:gsmartin
gsmartin earned 166 total points
ID: 39863956
As the others indicated this configuration is fine.  This is a typical Active/Passive Layer 2 HA Firewall configuration.  This is not an active/active HA configuration that typically requires a load balancer to manage/direct L3 traffic, which is over kill for most environments.

As part of the configuration is a link that connects the two firewalls together to transfer configuration changes and provides heartbeat detection between the primary and failover firewalls. If the failover firewall fails to communicate with the primary firewall due a failure the failover firewall takes over the primary role and assumes the primary firewall's configuration and MAC/IP addresses (L2/L3).

I hope this gives you a little better understanding of how this configuration operates.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now