firewall at layer 2

I run hsrp at my core and we want to add two firewalls for redundancy purposes (see pic)net diagramThe vendor told me that the firewalls will be using its HA feature. In other words, the two firewalls will have the exact configuration and they will backup each other. They can be seen as one firewall and have a virtual IP address 10.20.20.100. The vendor also said that the link between the firewalls and the core switches will be layer 2. Now I am not sure what to think of this as my core switches are layer 3 switches. They will have a default gateway pointed to the firewall virtual IP address. Does anybody have this type of setup? If yes, does it work ok?

Thanks
LVL 1
leblancAccountingAsked:
Who is Participating?
 
ffleismaConnect With a Mentor Senior Network EngineerCommented:
yes this setup is fine.

based on your diagram the FW-Core linke will be on switchport access VLAN 100. With the FW having static routes pointed to next-hop core switch "interface vlan 100" SVI interface for internal private IP addresses (10.x.x.x, 172.16.x.x, 192.168.x.x).

although i guess another design. have the FW-core uplink as trunk port on the core switch.

The purpose of this is that in case you need to create sub-interfaces on the FW, the core switchport will be ready as it is already configured as trunk.

let me know if you have any further question. hope i can help!
0
 
giltjrConnect With a Mentor Commented:
If you have a " layer 3 switches" then you have a  L2 device that also support L3 functions.

So as fflesima stated, your setup is fine.
0
 
gsmartinConnect With a Mentor Manager of ITCommented:
As the others indicated this configuration is fine.  This is a typical Active/Passive Layer 2 HA Firewall configuration.  This is not an active/active HA configuration that typically requires a load balancer to manage/direct L3 traffic, which is over kill for most environments.

As part of the configuration is a link that connects the two firewalls together to transfer configuration changes and provides heartbeat detection between the primary and failover firewalls. If the failover firewall fails to communicate with the primary firewall due a failure the failover firewall takes over the primary role and assumes the primary firewall's configuration and MAC/IP addresses (L2/L3).

I hope this gives you a little better understanding of how this configuration operates.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.