HPE Community
Aruba & ProVision-based
1756413 Members
3277 Online
108847 Solutions
New Discussion

HP 2910al between cisco router and multiple firewall appliances?

 
JLPeac
Visitor

‎05-31-2013 02:21 PM

‎05-31-2013 02:21 PM

HP 2910al between cisco router and multiple firewall appliances?

Hello,

 

I am trying to research for a better way to configure our network to be able to offer separate firewalls on different subnets. Currently we have an AT&T managed Cisco router for our Internet connection and a single Sonicwall appliance providing the WAN/LAN gateway. The Sonicwall is configured with "Trunks/vlans" ...and it seems to be a bottleneck..

We need an efficient way to setup different internal networks each with there own firewall applance w/ individualized web content filtering, etc.

(We have even applied for 128 static ip addresses with AT&T so every subnet can have it's own external ip address for remote access from users.)

 

I'm definately no networking expert but was thinking maybe the best way to do this would be putting a layer 3 switch on the cisco so we can hopfully introduce the separate firewall appliances via the many ports a switch offers.

Is this a good or even feasible idea? Could someone guide me in the right direction? ...the more specifics, the better :-)

 

thanks in advance,

-Jim

 

0 Kudos
5 REPLIES 5
David_Schwartzs
Honored Contributor

‎05-31-2013 03:28 PM

‎05-31-2013 03:28 PM

Re: HP 2910al between cisco router and multiple firewall appliances?

How many clients are inside the firewall total? How much bandwidth on average is being used?

Sonicwall has a ton of different models - it's possible your firewall appliance is simply undersized, it may not be necessary to have multiple devices, it may simply be necessary to get a more robust device.

If you did go with multiple devices, using physical port VLAN mapping and defining the individual firewalls as default gateways for the different VLANs should make it very easy to route traffic to and from specific devices.

FYI - the 2910al supports Layer 3 routing features and can define these gateways on the HP switch, you don't need another piece of hardware nor to upgrade software features with Cisco in that regard.
Regards,
--
David Schwartzstein
IT Channel Sales Expert / Solutions Architect

Currently looking for my next opportunity - http://www.linkedin.com/in/pctechyoda

If my post solves your problem, please kindly take a moment to mark my post as a solution. Thank you.
0 Kudos
JLPeac
Visitor

‎05-31-2013 05:52 PM

‎05-31-2013 05:52 PM

Re: HP 2910al between cisco router and multiple firewall appliances?

So far about a dozen client/servers w/ under 100 users via an NSA 2400. We are about to get a new AT&T circuit and managed cisco router, managed by AT&T. We can simply move the sonicwall as is to the new circuit using existing IP address or take this opportunity to migrate to it with a more robust "networking solution"... which is my desire - to be able to offer separate virtual firewall appliances via multiple Fortigate 100D appliances, allowing for future growth (hopefully) and be able to offer individual firewalls w/ individualized web content filtering, etc for our Medical Practice clients.

 

My only problem is my lack of experience in implementing the desired solution... I have enough knowledge to have come up with the multi-VLAN idea - just not any been there done that knowledge.

I think having multiple devices could help eliminate a future serious bottleneck and / or point of hdw failure (one sonicwall) impacting ALL clients at once.

 

Would you possibly provide me with an example configuration how-to with an example setup of 2 appliances via VLAN with the HP switch? I am reading thru the 2910al manuals about VLAN setup... just having a hard time putting it into my little real world plan without feeling somewhat confused.

 

Any and all help is greatly appeciated... we are a small company and the owner doesn't know much about my plan yet ...I really don't won't to do something like this without gathering as much knowledge as I can first!

(I'd like to keep my job if you know what I mean LOL)

Thanks very much!!

-Jim  

 

 

0 Kudos
JLPeac
Visitor

‎06-03-2013 12:18 PM

‎06-03-2013 12:18 PM

Re: HP 2910al between cisco router and multiple firewall appliances?

Would anyone be willing to provide the steps to configure a 2910al for the following scenario?

 

LAN1=users, LAN2=servers accessible by internet & LAN1 but not LAN3, LAN3=servers accessible by

internet, LAN1 but not LAN2, LAN4=accessible by internet but isolated from LAN1,2&3 

(Btw, each LAN will contain it's own firewall)

 

 

                                          Internet

                                               |
                                          Router
                                               |
                                               | x.x.x.x/28 (usable public addresses)
                                               |
                                    HP Layer-3 Switch ---
                                         |        |                 |      |
                                         |        |                 |      LAN 4 10.0.4.0/31
                                         |    LAN 2           |
                                         | 10.0.2.0/31 |
                                         |                           |
                                      LAN 1              LAN 3
                                   10.0.1.0/24    10.0.3.0/31

0 Kudos
Vince_Whirlwind
Trusted Contributor

‎06-03-2013 05:58 PM

‎06-03-2013 05:58 PM

Re: HP 2910al between cisco router and multiple firewall appliances?

Nice diagram - but, where's the firewall in this?

 

I would have a good think about whether you want your VLAN4 on the same switch as your internal VLANs - some people prefer physical separation for their DMZ.

 

Assuming the firewall is upstream, you can configure your switchports into the relevant (untagged) VLANs 1, 2, 3, & 4, and configure no IP address on each VLAN's interface. Then trunk all 4 VLANs up to the firewall (tagged VLANs) on a single physical link, or, if your firewall has lots of interfaces or doesn't support dot1Q tagging, configure an uplink port in each VLAN (untagged) carrying only that VLAN up to a firewall port dedicated to that VLAN.

 

Alternatively, if you would prefer the better performance of routing local traffic within your Layer-3 switch, configure an interface IP address for each VLAN, and then create access lists to Deny traffic between the VLANs that are not permitted to talk to each other.

Configure a default route pointing upstream to the firewall, and configure routes for each subnet/VLAN on the firewall, pointing back at the Layer-3 switch.

0 Kudos
JLPeac
Visitor

‎06-04-2013 05:57 AM

‎06-04-2013 05:57 AM

Re: HP 2910al between cisco router and multiple firewall appliances?

Thanks for your reply Mr. Whirlwind!

 

Best possible performance and growth potential is the main goal.

 

Relatively recently we started hosting servers for some of our Medical Office Clients and our current configuration (not the one in the diagram) includes one upstream Sonicwall NSA2400 providing trunks to a layer 2 switch.

 

I would like to put the layer 3 switch to work and be able to offer private VLANs plus in some cases even dedicated public ip addresses w/ dedicated firewalls.

 

Ideas on the best way to accomplish this are more than welcome... 

if I could get an example of the commands to do it, I'd be less fearful I am going to mess something up in the short amount of time I will have to replace our current setup.

 

I have practically zero Vlan/routing experience - and all the manuals and web sites I've read so far are not clicking on a light for me.

 

thanks,

Jim

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.