Firewall on the same network of the Core switch and other switches

What disasvantage can you find in this design?

For my opinion the firewall would be unecesary traffic for example maybe broadcast traffic and stuff like that

I do always do routing between the Firewall which is the edge and my Core Switch, and i got my core switch doing Layer 3 traffic.

I have seem many deployment for example

Firewall got one cable on 192.168.1.2
Core switch got a cable on that switch and got an interface vlan on 192.168.1.1
Then they got all the switches on the same vlan let say switch 1 192.168.1.3 switch2 on 192.168.1.4 and son on

What i do is
Firewall got one cable on 192.168.254.1
Core switch got an interface vlan on 192.168.254.2

Then i got my internal network on another vlan let say i got one interface vlan on 172.16.1.1 and my other swithces and my networking equipment on that 172.16.1.x vlan....

Now i would like some opinions of both approach

Advantage and disadvantage on both approaches...

I always do the second one, for the reason i said before but there should be many other reasons i cannot think of right now.... also if the design of my selection is not good you can say it and tell me why and correct me why its bad(the second approach)

All the opinions are welcome!

Find more posts tagged with

Comments

m3zilla

It's kind of hard to make out what you're trying to say in your post, but it sounds like you're debating whether to use a firewall in the traditional sense vs bridge mode?

Personally, I've never ran across a firewall deployment that have it in bridge mode. It's always acting as a L3 hop. In all the text I've read, it seems the major reason why you want to deploy it it bridge mode is so that you can implement it without disrupting traffic. Unless you have a specific reason to do so, why would you want to run it as a transparent/bridge?

I wouldn't deploy one in bridge mode just to drop unwanted broadcast/arp as you mention though.

NightShade1

Here i put 2 attachment i did fast in visio hope it explains better both scenario... guess i can do it a way better but i did this in just 5 mins... heh

In the first picture you can see the design one which i never implement
And the design 2 which i always implement

I try to separate the firewall of my internal network on another vlan... on like a p2p vlan between them...
On my core router i got one default route pointing in this example to 192.168.254.1
And on the firewall all my internal networks pointing to 192.168.254.2

I would like to know which is the best practice and why... for now im selecting design2.

I dont see too much this as i see more WLAN implementations but its always good to know these stuff!

Desing1.jpg

Desing2.jpg

higherho

There is nothing wrong with that design. As m3 stated most sites use it as a l3 hop. In a previous position of mine I was connected to another site but we still needed to be segreated.

So for me it was;

HQ network end >Local site router (Point to point to my firewall) > my site Firewall > My switches / servers

Now having your firewall up where you have it you can actually setup a pretty good public DMZ if you have any public facing DNS / Web servers going on.

On a side note: Its best not to use VLAN 1 and shut it down.

Tyically in your setup the firewall is acting as the layer 3 device to decide the routing and all that.

NightShade1

Thanks for the comments
Im aware of hte Vlan 1 recommendation already

but thanks for mentioning it

Let see what other people have to comment about this
I did this tread because i see many sites with the setup number 1 on the first diagram. But when i have to build a network i always doing setup 2.

it_consultant

There is really no benefit to design #2 and you make your packets take one more hop than necessary to get to the internet.

higherho

I would choose design one because as IT_consultant points out you do not need another VLAN for the firewall to your core switch. The vlan design in number one would make more sense.

The only thing that should have a point to point is if you have an example like I pointed above where your a small site connecting to a bigger site to go out to the real world. Meaning your firewall is pointing to a router's interface, between these two points you would need a /30 ip space.

NightShade1

Okay

i hope people keep posting more opinions about this!

unclerico

Either one will work. If you do #2 go for a routed interface as opposed to using another SVI reason being you don't need another spanning-tree instance created (assuming Cisco). If you do design #2 you also won't need to rely on icmp redirects to get your traffic to the proper/shortest path to the next hop. In your diagram you show your servers on the same VLAN/broadcast domain as the firewall. When a server wants to get to the Internet it will send its traffic to the core switch. The core switch will send icmp redirects to your servers telling them to use the firewall as the next hop instead assuming you have icmp redirects enabled. If you don't (which most dont) your traffic will still take an extra hop to get to the Internet anyways as it needs to go to the switch and then to the firewall. In the grand scheme of things the extra hop will introduce very little delay in the end to end traffic flow. I manage many thousands of devices with Internet points of presense in all regions of the world and the designs we use are more along design #2. If you have a DMZ you should be following best practice and physically segregating it from the rest of the network. Design #1 is extremely common and will do the job as well.

NightShade1

unclerico wrote: »

Either one will work. If you do #2 go for a routed interface as opposed to using another SVI reason being you don't need another spanning-tree instance created (assuming Cisco). If you do design #2 you also won't need to rely on icmp redirects to get your traffic to the proper/shortest path to the next hop. In your diagram you show your servers on the same VLAN/broadcast domain as the firewall. When a server wants to get to the Internet it will send its traffic to the core switch. The core switch will send icmp redirects to your servers telling them to use the firewall as the next hop instead assuming you have icmp redirects enabled. If you don't (which most dont) your traffic will still take an extra hop to get to the Internet anyways as it needs to go to the switch and then to the firewall. In the grand scheme of things the extra hop will introduce very little delay in the end to end traffic flow. I manage many thousands of devices with Internet points of presense in all regions of the world and the designs we use are more along design #2. If you have a DMZ you should be following best practice and physically segregating it from the rest of the network. Design #1 is extremely common and will do the job as well.

Which one you will recommend? and why?
I see you use more the Design#2 Why do you use it more than design#1? could you number some reasons? if is not too much asking?

" your diagram you show your servers on the same VLAN/broadcast domain as the firewal" this is just on design 1 not on design 2 as the firewall is on another vlan
Like i said i do mostly WLAN deployment but well its always nice to learn new things you didnt know... thats why i open this tread. I would really wanted to know which one was better and why

Iwill read about icmp redirect didnt know that.

kalebksp

This really depends on on the full network layout. In design #1, if you have multiple VLANs each with it's gateway on the firewall (802.1q trunk or multple physical interfaces), inter-VLAN routing occurs on the firewall. In design #2 inter-VLAN routing would be on a switch. In most cases a decent switch is going to have better routing performance, but of course if you need to firewall traffic between VLANs you'd want the routing performed there.

You're not limited to using only one of the designs. As an example, let's say you have separate workstation, printer, and server VLANs, and you want the workstations to be able to send larger print jobs to the printer VLAN directly but be able to apply more granular policies to traffic head to and from servers. The workstation and printer VLANs could be setup as in #2 but the servers like #1.

unclerico wrote: »

If you do design #2 you also won't need to rely on icmp redirects to get your traffic to the proper/shortest path to the next hop. In your diagram you show your servers on the same VLAN/broadcast domain as the firewall. When a server wants to get to the Internet it will send its traffic to the core switch. The core switch will send icmp redirects to your servers telling them to use the firewall as the next hop instead assuming you have icmp redirects enabled. If you don't (which most dont) your traffic will still take an extra hop to get to the Internet anyways as it needs to go to the switch and then to the firewall.

Why would the default gateway be set to the switch? You could easily avoid ICMP redirects (and they should be avoided) by setting the gateway to be the firewall.

it_consultant

You guys are WAY over-thinking this. There is no "right" way as long as the packets make it to where they need to go. I prefer the fewest hops as possible, but others don't for one reason or another.

You can have multiple VLANs and tag a link from each VLAN directly into the firewall if you don't want the switch to route for you. That way you can have multiple networks and each has a direct link to the firewall. I see a good many SMB deployments who do this. I don't care for it, but it is a valid design.

kalebksp

it_consultant, you maybe right if it's a small network with limited security needs, but once you get to any level of scale it matters very much. Very few firewalls can route gigabit traffic at line rate, whereas plenty of switches can. I have been in many environments where the IT staff didn't understand their traffic flows and it caused a lot of problems.

NightShade1

kalebksp wrote: »

This really depends on on the full network layout. In design #1, if you have multiple VLANs each with it's gateway on the firewall (802.1q trunk or multple physical interfaces), inter-VLAN routing occurs on the firewall. In design #2 inter-VLAN routing would be on a switch. In most cases a decent switch is going to have better routing performance, but of course if you need to firewall traffic between VLANs you'd want the routing performed there.

You're not limited to using only one of the designs. As an example, let's say you have separate workstation, printer, and server VLANs, and you want the workstations to be able to send larger print jobs to the printer VLAN directly but be able to apply more granular policies to traffic head to and from servers. The workstation and printer VLANs could be setup as in #2 but the servers like #1.

Why would the default gateway be set to the switch? You could easily avoid ICMP redirects (and they should be avoided) by setting the gateway to be the firewall.

Okay lets correct something in design 1 the core is routing the firewall is not... all the interface vlans are created on the switch core, not on the firewall.... (all the computers, servers are pointing to swtich core) the firwall just belongs to the vlan in which all the swithces of the network belongs... and in some cases the servers.

In design 2 there is a point to point vlan between firewall and switch core the difference is that the switch core and the firewall can see each other but firewall NEEDs the routes to get to the internal networks... i need to point to the CORe swithc... i mean all my internal network i need to point them to the core switch from the firewall

it_consultant

kalebksp wrote: »

it_consultant, you maybe right if it's a small network with limited security needs, but once you get to any level of scale it matters very much. Very few firewalls can route gigabit traffic at line rate, whereas plenty of switches can. I have been in many environments where the IT staff didn't understand their traffic flows and it caused a lot of problems.

My own network is set up this way - we have a HP 5412zl handling the internal routing. A lot of single mode fiber from remote sites is terminated into the switch, something the firewall is not capable of doing unless we put a media converter in front of it. The question of which design is "better" is, in whole, determined by the needs and budget of the network. I am not a fan of adding more complexity when it isn't needed.

kalebksp

NightShade1 wrote: »

Okay lets correct something in design 1 the core is routing the firewall is not... all the interface vlans are created on the switch core, not on the firewall.... (all the computers, servers are pointing to swtich core) the firwall just belongs to the vlan in which all the swithces of the network belongs... and in some cases the servers.

In design 2 there is a point to point vlan between firewall and switch core the difference is that the switch core and the firewall can see each other but firewall NEEDs the routes to get to the internal networks... i need to point to the CORe swithc... i mean all my internal network i need to point them to the core switch from the firewall

Ah, in that I case my preference would be design #2. I avoid multiple gateways on an access VLAN (except in the case of FHRPs of course), someone's bound to point something to the wrong one.

If you're concerned with managing routes on the firewall you could run a routing protocol, but if this is a small single site company that would probably be adding unnecessary complexity. What I typically do is use a summary route on the firewall. When I get to chose the addressing I use the scheme of 10.[site ID].[VLAN ID].0/24. So the firewall gets a route of 10.[site ID].0.0/16 pointing to the core switch and the core switch gets a default route to the firewall and a null route of 10.[site ID].0.0/16 to avoid routing loops for unused subnets.

it_consultant wrote: »

My own network is set up this way - we have a HP 5412zl handling the internal routing. A lot of single mode fiber from remote sites is terminated into the switch, something the firewall is not capable of doing unless we put a media converter in front of it. The question of which design is "better" is, in whole, determined by the needs and budget of the network. I am not a fan of adding more complexity when it isn't needed.

I'm not sure which design you are referring you when you say "My own network is setup this way." In any case I wholeheartedly agree with you that it's dependent on the needs of the company and that unnecessary complexity should be avoided. My personal design philosophy is to make the network no more complex than is necessary to accomplish the goals and provide scalability for the future. I come across a lot of IT folks that implement technology for the sake of technology, which is fun, but of course the truth is our role is solely to support and further the goals of the business.

it_consultant

My network is set up where the core switch is also the main router; as opposed to a lot of SMB setups where the firewall is also the main router. That was after you explained that line rate routing is better done at the switch - I was just letting you know that is how my own network is set up.