ip route metric
Hi,
I'm looking to add a second firewall to my existing setup, retaining the current firewall as a alternative route to the internet.
I have a HP Procurve 5406zl as my core switch
I have my network segmented with vlans like the example in the attachment.
My current firewall is on vlan100 and is the default route for all internet traffic
ip route 0.0.0.0 0.0.0.0 10.1.100.10
When I add my second firewall, is it possible to use a metric to force all traffic to use the new firewall as a default route, failing back onto the existing firewall if the route is unreachable?
And should I create a new vlan for the new firewall or is it ok in the same vlan as the existing firewall?
Thanks,
Steve
vlans.txt
I'm looking to add a second firewall to my existing setup, retaining the current firewall as a alternative route to the internet.
I have a HP Procurve 5406zl as my core switch
I have my network segmented with vlans like the example in the attachment.
My current firewall is on vlan100 and is the default route for all internet traffic
ip route 0.0.0.0 0.0.0.0 10.1.100.10
When I add my second firewall, is it possible to use a metric to force all traffic to use the new firewall as a default route, failing back onto the existing firewall if the route is unreachable?
And should I create a new vlan for the new firewall or is it ok in the same vlan as the existing firewall?
Thanks,
Steve
vlans.txt
is it possible to use a metric to force all traffic to use the new firewall as a default route, failing back onto the existing firewall if the route is unreachable?Kind of. You can specify the administrative distance with your default route.
ip route 0.0.0.0 0.0.0.0 1.2.3.4 ! preferred firewall
ip route 0.0.0.0 0.0.0.0 5.6.7.8 10 ! backup firewall
But... and this is important, the default route to the backup firewall will only be used if the interface to the preferred firewall goes down. Which means if the firewall's outside interface fails, or the link to the ISP fails, the switch will continue sending packets to the primary firewall.
One way around this is to have your switch do object tracking with route maps. But unfortunately, the 5400's don't support this.
You don't say what firewall you have, but some firewall's have a failover feature. Or a first hop routing protocol like HSRP or VRRP. In which case you define a virtual IP for the two firewalls and the active firewall handles the traffic.
Or you could use a routing protocol like OSPF and have the firewalls advertise the default route to the switch.
So there's a number of possible solutions.
ASKER
Ok, the goal posts have moved now.
I am installing two Sonicwall 2600s in high availability now. They work as a active/standby setup with both firewalls sharing a virtual IP.
So in effect, the procurve 5406zl will on see one firewall.
Now I would like to setup these new firewalls in parallel with the exsisting firewall.
Is it best to setup a new vlan for the new firewalls and when it's ready, just change the default route to the new virtual IP?
Also, I would like to maybe test one vlan on the new firewalls, can this been done?
I am installing two Sonicwall 2600s in high availability now. They work as a active/standby setup with both firewalls sharing a virtual IP.
So in effect, the procurve 5406zl will on see one firewall.
Now I would like to setup these new firewalls in parallel with the exsisting firewall.
Is it best to setup a new vlan for the new firewalls and when it's ready, just change the default route to the new virtual IP?
Also, I would like to maybe test one vlan on the new firewalls, can this been done?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your suggestions.
I'm going to configure them in parallel and change the default route when I'm sure everything is working.
I'm going to configure them in parallel and change the default route when I'm sure everything is working.
Depending on the vendor, the syntax might be slightly different but:
ip route 0.0.0.0 0.0.0.0 PREFERRED_DESTINATION
ip route 0.0.0.0 0.0.0.0 BACKUP_DESTINATION 250