Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

Switch segmentation

 
Danny_W
Occasional Visitor

Switch segmentation

Hi Folks - Hopefully this is an easy question.  I have the current need to give a fw cluster exposure to (3) different networks - so basically it would look like this:

 

  • Network A feed + an arm from each fw = 3 ports
  • Network B feed + an arm from each fw = 3 ports
  • Network C feed + an arm from each fw = 3 ports

All ports would be gigabit copper.  Can I purchase a 24 port switch (like a 2910-24G) and segment it into groups of 3 ports - is this something a VLAN would accomplish?  Never used VLANS before, only flat networks

 

Thanks.

 

Danny

3 REPLIES 3
paulgear
Esteemed Contributor

Re: Switch segmentation

Yes - that's definitely what VLANs are useful for.  Make sure you turn off ip routing in the switch (it's off by default) and set up one VLAN with 3 (untagged) ports for each.

 

Of course, there's not much point having a firewall cluster if you feed it into a single switch, so i would recommend adding another switch, setting up an LACP trunk between the switches, and feeding one firewall into each switch.  And make sure you test what happens when you lose a switch, lose a network connection, or lose a firewall.

 

I would also recommend taking some precautions for hardening the switch:

 

Regards,
Paul
dave kallman
Visitor

Re: Switch segmentation


Paul - Thank you for the repsonse.  I'm confused about the second switch scenerio you describe.  How can I "HA" one network feed?   If I'm taking an uplink from Network A to connect to my fw cluster,  don't i have to nail that uplink down on one switch - if i want to "HA" the connection to Network A, and eliminate a single point of failure (the switch), wouldn't I need the Network A provider to hand me off two uplinks to their network?  Am i missing something?

 

Thanks again for your help!

 

 

paulgear wrote:

Of course, there's not much point having a firewall cluster if you feed it into a single switch, so i would recommend adding another switch, setting up an LACP trunk between the switches, and feeding one firewall into each switch.  And make sure you test what happens when you lose a switch, lose a network connection, or lose a firewall.

Highlighted
paulgear
Esteemed Contributor

Re: Switch segmentation

Hi Dave,

You're absolutely right that you can't split a single feed. But surely you have a firewall cluster because you want to guard against single points of failure? If those 3 links are 3 different ISPs, then you probably want to put one into one switch and two into another so that if you lose one switch you still have one or two of the three.

And, as you hinted, if full redundancy is important, it would be better to have two uplinks coming from each provider.
Regards,
Paul