Looped? One L3 Switch, 2 Firewalls, 2 Services ( Internet / T1 )

Unanswered Question
Dec 2nd, 2009

I will be making some modifications on a network, and I would like to make sure I dont cause a loop on the switch.

Actually the site have one ASA with two IP getting the DIA ( Direct Internet Access) on the WAN port, and the Lan ( secure ) port goes to a layer switch, easy enough. now I will like to complicate thing a bit more if it's even possible.

Plan will be to use the same switch to split the connection of DIA with a VLAN 123, so I can connect a second ASA which will be managed by another associate some others IP from the same DIA will be use as well.

Second firewall will hand off the LAN (Secure port ), to the main firewall one so I can manage the access, then First firewall will go back to the Switch with the filtered traffic to a route port ( No switport).

Will I caused a loop? Please see attach pdf

Switch

     Vlan 123     -     Wan Interface

          g0/1     Firewall One Unsecured Port ( level 0 )

          g0/2     Firewall Two Unsecured Port ( level 0 )

          g0/3     DIA - Direct Internet Access

    

     Route port ( No switchport )

          g0/4     comes from the firewall one from Secure port ( level 100 )

     Route port ( No switchport )

          g0/5     Goes to a Dedicated T1 Router.

         

Firewall two

     unsecure port - Switch port g0/1

     secure port     -     Firewall 1

Firewall one

     Optional port      -     Firewall 2 Secure port

     unsecure port     -     from Switch      g0/1

     secure port         -     to Switch         g0/4

    

The reason of this is to try to use available ports from the same layer 3 instead of adding a Wan Switch.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 12/02/2009 - 07:23

peoplesit wrote:

I will be making some modifications on a network, and I would like to make sure I dont cause a loop on the switch.

Actually the site have one ASA with two IP getting the DIA ( Direct Internet Access) on the WAN port, and the Lan ( secure ) port goes to a layer switch, easy enough. now I will like to complicate thing a bit more if it's even possible.

Plan will be to use the same switch to split the connection of DIA with a VLAN 123, so I can connect a second ASA which will be managed by another associate some others IP from the same DIA will be use as well.

Second firewall will hand off the LAN (Secure port ), to the main firewall one so I can manage the access, then First firewall will go back to the Switch with the filtered traffic to a route port ( No switport).

Will I caused a loop? Please see attach pdf

Switch

     Vlan 123     -     Wan Interface

          g0/1     Firewall One Unsecured Port ( level 0 )

          g0/2     Firewall Two Unsecured Port ( level 0 )

          g0/3     DIA - Direct Internet Access

     Route port ( No switchport )

          g0/4     comes from the firewall one from Secure port ( level 100 )

     Route port ( No switchport )

          g0/5     Goes to a Dedicated T1 Router.

Firewall two

     unsecure port - Switch port g0/1

     secure port     -     Firewall 1

Firewall one

     Optional port      -     Firewall 2 Secure port

     unsecure port     -     from Switch      g0/1

     secure port         -     to Switch         g0/4

The reason of this is to try to use available ports from the same layer 3 instead of adding a Wan Switch.

Edwin

Your diagram and explanation are a little bit confusing. Is the current state that Internet access is connected directly to the ASA rather than what you are proposing ie. to connect it to the switch.

If i understand correctly you are looking to

1) have the internet access terminate on the L3 switch

2) connect the outside interfaces of both ASAs to the switch in vlan 23

3) connect the LAN to the inside interface of your first ie. original firewall.

4) this is a bit unclear - you are propsing to connect the 2 ASAs together - will this connection also go via the switch ?

So traffic that goes to the second firewall then goes to your firewall ?

If so, yes you can do all of the above on the same switch without creating a loop. Whether you should do it is another matter. Especially as the switch is L3 and is routing. You need to very careful with your configuration or you could very easily open a hole into your LAN. Plus the whole design is reliant on a single switch. If that fails so does all internet access.

The other thing that is a little unclear is that yu have the port that connects to the LAN as a routed port - so how do the clients connect into this LAN ie. is there another switch somewhere ?

But the simple answer to your question is no you won't create a loop and even if you did that is what STP is designed to protect you from.

Jon

peoplesit_2 Wed, 12/02/2009 - 07:41

Jon,

Before anything else thanks for your time. Sorry about the confusion with the diagram, Diagram represent what I will try to accomplished. The actual diagram goes like this.

Internet (DIA)     ->     (x.x.x.x) Wan Port - ASA  - LAN Port (10.11.0.1/)     ->    (10.11.0.2/30) Switch no Swith oprt routing other VLANs Switches -> Other Switches.

                        

1) Correct

2) Yes this way I skip adding another switch.

3) Yes I know I will create extra hop, but I want to handle all the packets and not allow the associate to handle what comes in and out of the LAN. So I will open some ports and he will have the set his equipment accordingly. Packets will have to be accepted in both firewall when connection comes from the second firewall.

4) No from the Lan port of the Second firewall, to and optional port of the first firewall no switch in the middle /30 . Firewall to Firewall.

The other thing that is a little unclear is that you have the port that connects to the LAN as a routed port - so how do the clients connect into this LAN ie. is there another switch somewhere ?

Yes there is another switch with all the VLANs which will route all the Vlans to this switch.

I know it's no the best design but budget was no the best for this implementation.

Jon Marshall Wed, 12/02/2009 - 07:50

peoplesit wrote:

Jon,

Before anything else thanks for your time. Sorry about the confusion with the diagram, Diagram represent what I will try to accomplished. The actual diagram goes like this.

Internet (DIA)     ->     (x.x.x.x) Wan Port - ASA  - LAN Port (10.11.0.1/)     ->    (10.11.0.2/30) Switch no Swith oprt routing other VLANs Switches -> Other Switches.

1) Correct

2) Yes this way I skip adding another switch.

3) Yes I know I will create extra hop, but I want to handle all the packets and not allow the associate to handle what comes in and out of the LAN. So I will open some ports and he will have the set his equipment accordingly. Packets will have to be accepted in both firewall when connection comes from the second firewall.

4) No from the Lan port of the Second firewall, to and optional port of the first firewall no switch in the middle /30 . Firewall to Firewall.

The other thing that is a little unclear is that you have the port that connects to the LAN as a routed port - so how do the clients connect into this LAN ie. is there another switch somewhere ?

Yes there is another switch with all the VLANs which will route all the Vlans to this switch.

I know it's no the best design but budget was no the best for this implementation.

Edwin

If there is another switch then why not connect the inside LAN port of your primary firewall to that switch. The advantage of this this would be that even if the outside switch was configured incorrectly it could not give access to the internal LAN.

As for the connection between the 2 ASAs. Yes use LAN port on ASA to spare interface on primary firewall and configure as a DMZ. You can connect them directly or you could connect them via the outside switch by creating a separate vlan with no L3 interface and just having each ASAs interface in that vlan.

Jon

Actions

This Discussion

Related Content