Solved

firewall at layer 2

Posted on 2014-02-15
3
301 Views
Last Modified: 2014-03-02
I run hsrp at my core and we want to add two firewalls for redundancy purposes (see pic)net diagramThe vendor told me that the firewalls will be using its HA feature. In other words, the two firewalls will have the exact configuration and they will backup each other. They can be seen as one firewall and have a virtual IP address 10.20.20.100. The vendor also said that the link between the firewalls and the core switches will be layer 2. Now I am not sure what to think of this as my core switches are layer 3 switches. They will have a default gateway pointed to the firewall virtual IP address. Does anybody have this type of setup? If yes, does it work ok?

Thanks
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 9

Accepted Solution

by:
ffleisma earned 167 total points
ID: 39862246
yes this setup is fine.

based on your diagram the FW-Core linke will be on switchport access VLAN 100. With the FW having static routes pointed to next-hop core switch "interface vlan 100" SVI interface for internal private IP addresses (10.x.x.x, 172.16.x.x, 192.168.x.x).

although i guess another design. have the FW-core uplink as trunk port on the core switch.

The purpose of this is that in case you need to create sub-interfaces on the FW, the core switchport will be ready as it is already configured as trunk.

let me know if you have any further question. hope i can help!
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 167 total points
ID: 39863729
If you have a " layer 3 switches" then you have a  L2 device that also support L3 functions.

So as fflesima stated, your setup is fine.
0
 
LVL 8

Assisted Solution

by:gsmartin
gsmartin earned 166 total points
ID: 39863956
As the others indicated this configuration is fine.  This is a typical Active/Passive Layer 2 HA Firewall configuration.  This is not an active/active HA configuration that typically requires a load balancer to manage/direct L3 traffic, which is over kill for most environments.

As part of the configuration is a link that connects the two firewalls together to transfer configuration changes and provides heartbeat detection between the primary and failover firewalls. If the failover firewall fails to communicate with the primary firewall due a failure the failover firewall takes over the primary role and assumes the primary firewall's configuration and MAC/IP addresses (L2/L3).

I hope this gives you a little better understanding of how this configuration operates.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question