Firewall on the same network of the Core switch and other switches
NightShade1
Product ManagerMember Posts: 433 ■■■□□□□□□□
in Off-Topic
What disasvantage can you find in this design?
For my opinion the firewall would be unecesary traffic for example maybe broadcast traffic and stuff like that
I do always do routing between the Firewall which is the edge and my Core Switch, and i got my core switch doing Layer 3 traffic.
I have seem many deployment for example
Firewall got one cable on 192.168.1.2
Core switch got a cable on that switch and got an interface vlan on 192.168.1.1
Then they got all the switches on the same vlan let say switch 1 192.168.1.3 switch2 on 192.168.1.4 and son on
What i do is
Firewall got one cable on 192.168.254.1
Core switch got an interface vlan on 192.168.254.2
Then i got my internal network on another vlan let say i got one interface vlan on 172.16.1.1 and my other swithces and my networking equipment on that 172.16.1.x vlan....
Now i would like some opinions of both approach
Advantage and disadvantage on both approaches...
I always do the second one, for the reason i said before but there should be many other reasons i cannot think of right now.... also if the design of my selection is not good you can say it and tell me why and correct me why its bad(the second approach)
All the opinions are welcome!
For my opinion the firewall would be unecesary traffic for example maybe broadcast traffic and stuff like that
I do always do routing between the Firewall which is the edge and my Core Switch, and i got my core switch doing Layer 3 traffic.
I have seem many deployment for example
Firewall got one cable on 192.168.1.2
Core switch got a cable on that switch and got an interface vlan on 192.168.1.1
Then they got all the switches on the same vlan let say switch 1 192.168.1.3 switch2 on 192.168.1.4 and son on
What i do is
Firewall got one cable on 192.168.254.1
Core switch got an interface vlan on 192.168.254.2
Then i got my internal network on another vlan let say i got one interface vlan on 172.16.1.1 and my other swithces and my networking equipment on that 172.16.1.x vlan....
Now i would like some opinions of both approach
Advantage and disadvantage on both approaches...
I always do the second one, for the reason i said before but there should be many other reasons i cannot think of right now.... also if the design of my selection is not good you can say it and tell me why and correct me why its bad(the second approach)
All the opinions are welcome!
Comments
Personally, I've never ran across a firewall deployment that have it in bridge mode. It's always acting as a L3 hop. In all the text I've read, it seems the major reason why you want to deploy it it bridge mode is so that you can implement it without disrupting traffic. Unless you have a specific reason to do so, why would you want to run it as a transparent/bridge?
I wouldn't deploy one in bridge mode just to drop unwanted broadcast/arp as you mention though.
Here i put 2 attachment i did fast in visio hope it explains better both scenario... guess i can do it a way better but i did this in just 5 mins... heh
In the first picture you can see the design one which i never implement
And the design 2 which i always implement
I try to separate the firewall of my internal network on another vlan... on like a p2p vlan between them...
On my core router i got one default route pointing in this example to 192.168.254.1
And on the firewall all my internal networks pointing to 192.168.254.2
I would like to know which is the best practice and why... for now im selecting design2.
I dont see too much this as i see more WLAN implementations but its always good to know these stuff!
So for me it was;
HQ network end >Local site router (Point to point to my firewall) > my site Firewall > My switches / servers
Now having your firewall up where you have it you can actually setup a pretty good public DMZ if you have any public facing DNS / Web servers going on.
On a side note: Its best not to use VLAN 1 and shut it down.
Tyically in your setup the firewall is acting as the layer 3 device to decide the routing and all that.
Im aware of hte Vlan 1 recommendation already
Let see what other people have to comment about this
I did this tread because i see many sites with the setup number 1 on the first diagram. But when i have to build a network i always doing setup 2.
The only thing that should have a point to point is if you have an example like I pointed above where your a small site connecting to a bigger site to go out to the real world. Meaning your firewall is pointing to a router's interface, between these two points you would need a /30 ip space.
Which one you will recommend? and why?
I see you use more the Design#2 Why do you use it more than design#1? could you number some reasons? if is not too much asking?
" your diagram you show your servers on the same VLAN/broadcast domain as the firewal" this is just on design 1 not on design 2 as the firewall is on another vlan
Like i said i do mostly WLAN deployment but well its always nice to learn new things you didnt know... thats why i open this tread. I would really wanted to know which one was better and why
Iwill read about icmp redirect didnt know that.
You're not limited to using only one of the designs. As an example, let's say you have separate workstation, printer, and server VLANs, and you want the workstations to be able to send larger print jobs to the printer VLAN directly but be able to apply more granular policies to traffic head to and from servers. The workstation and printer VLANs could be setup as in #2 but the servers like #1.
Why would the default gateway be set to the switch? You could easily avoid ICMP redirects (and they should be avoided) by setting the gateway to be the firewall.
You can have multiple VLANs and tag a link from each VLAN directly into the firewall if you don't want the switch to route for you. That way you can have multiple networks and each has a direct link to the firewall. I see a good many SMB deployments who do this. I don't care for it, but it is a valid design.
Okay lets correct something in design 1 the core is routing the firewall is not... all the interface vlans are created on the switch core, not on the firewall.... (all the computers, servers are pointing to swtich core) the firwall just belongs to the vlan in which all the swithces of the network belongs... and in some cases the servers.
In design 2 there is a point to point vlan between firewall and switch core the difference is that the switch core and the firewall can see each other but firewall NEEDs the routes to get to the internal networks... i need to point to the CORe swithc... i mean all my internal network i need to point them to the core switch from the firewall
My own network is set up this way - we have a HP 5412zl handling the internal routing. A lot of single mode fiber from remote sites is terminated into the switch, something the firewall is not capable of doing unless we put a media converter in front of it. The question of which design is "better" is, in whole, determined by the needs and budget of the network. I am not a fan of adding more complexity when it isn't needed.
Ah, in that I case my preference would be design #2. I avoid multiple gateways on an access VLAN (except in the case of FHRPs of course), someone's bound to point something to the wrong one.
If you're concerned with managing routes on the firewall you could run a routing protocol, but if this is a small single site company that would probably be adding unnecessary complexity. What I typically do is use a summary route on the firewall. When I get to chose the addressing I use the scheme of 10.[site ID].[VLAN ID].0/24. So the firewall gets a route of 10.[site ID].0.0/16 pointing to the core switch and the core switch gets a default route to the firewall and a null route of 10.[site ID].0.0/16 to avoid routing loops for unused subnets.
I'm not sure which design you are referring you when you say "My own network is setup this way." In any case I wholeheartedly agree with you that it's dependent on the needs of the company and that unnecessary complexity should be avoided. My personal design philosophy is to make the network no more complex than is necessary to accomplish the goals and provide scalability for the future. I come across a lot of IT folks that implement technology for the sake of technology, which is fun, but of course the truth is our role is solely to support and further the goals of the business.