WAN Configuration - diverse fiber and two transparent firewalls???

Unanswered Question
Oct 3rd, 2007

I wonder if anyone can assist me in this matter. We have 2Gb fiber runs coming into our data centre racks. I wish to plug one into one switch and the other into another for redundancy. Currently the switches are not configured and just standard. However, we run NetScreen NS-1000 firewalls in transparent mode and when I just plug the second fiber into the second public untrusted switch and bring the second transparent firewall into the picture, the network works but it flaps constantly.

I have attached a current and required diagram. I believe the issue has something to do with traffic routing through the wrong firewall and switch, but I am not certain. Both firewalls have identical configs. We are using Cisco 3500 Series switches.

Can anyone help me with this? Please....

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lgijssel Wed, 10/03/2007 - 01:43

This will likely work when it is connected in the proper way.

That is, the ethernet interfaces of both routers should be interconnected, either by linking up the two 3500 switches or by connecting both to the same device. Only then the HSRP interfaces are able to communicate and HSRP will not work otherwise.

The firewalls must be connected to this segment as well, you could run into trouble here. Using them with an identical configuration implies that there needs to be some kind of failover between them. I do not know netscreen well enough to tell you if and how this can be done. (This is a cisco forum after all;-)

regards,

Leo

earthgecko Wed, 10/03/2007 - 02:21

Hi Leo

Thanks for the response. As for the Netscreens they are transparent so effectively they are on the public untrusted network, but not, they do not have public IPs and our network uses the public routers as the gateways (HSRP IP addresses). What I am a bit confused with is how to route traffic through the public untrusted switches, is it possible to do this through clustering? The two switches behind the firewalls are connected linked, so essentially if say firewall2 or public untrusted 2 switch failed the public trusted 2 switch should just route traffic through firewall 1 and public untrusted 1 which happens as if I unplug the fiber from public untrusted 2 all is fine. However, the intermittent flapping of the network when we set it up in this manner makes it unviable.

Would clustering the public untrusted 3508XL and 3524XL resolve this possibly?

Actions

This Discussion