cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1044
Views
0
Helpful
9
Replies

Advices on DMZ design vs switches

Vinny
Level 1
Level 1

Hi,

We have two dedicated racks for our DMZ. We need to connect them to a firewall. We do all the cabling inside the rack, so each of them must have a top of rack.

Problem is, switch in rack 2 will be connected to rack 1 and then to firewall, so if switch 1 fail, we lose both of them.

I would love to stack them like 3750 but I don't think there is stackwise cable long enough to connect two racks (and I suppose this lenght isn't supported by technology).

We have only one port left in the FW.

Do you have any advices on design or cisco products that can do some sort of redundancy or anything that could help this setup to be more solid ?

Thank you

9 Replies 9

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

If the racks are adjacent, the "long" stack cable should reach between racks.

siddhartham
Level 4
Level 4

Do you have a single firewall or is it a HA pair?

if its a single firewall then I believe stacking is your only option.I think cisco makes stack cables upto 7meters but I am not completely sure about it.

If you have a HA pair then you can connect Active firewall to one switch and the stanby firwall to the other one (2 switches should be connected to each other). 

Siddhartha

Vinny
Level 1
Level 1

Thanks you both you answers.

We don't know yet where the second rack will be located. But if there is 7 meters cable....that woud be perfect.

Vinny
Level 1
Level 1

ok I found out

You can order these StackWise cables from your Cisco sales representative:

CAB-STACK-50CM= (0.5-meter cable)

CAB-STACK-1M= (1-meter cable)

CAB-STACK-3M= (3-meter cable)

so max lenght is 3 meters

Vincent, you are right 3 meter is the maximum length according to cisco.But I found the below, not sure how genuine it is.

http://www.connectzone.com/cab-stack-10m.html

Siddhartha

darren.g
Level 5
Level 5

Vincent Boulet wrote:

Hi,

We have two dedicated racks for our DMZ. We need to connect them to a firewall. We do all the cabling inside the rack, so each of them must have a top of rack.

Problem is, switch in rack 2 will be connected to rack 1 and then to firewall, so if switch 1 fail, we lose both of them.

I would love to stack them like 3750 but I don't think there is stackwise cable long enough to connect two racks (and I suppose this lenght isn't supported by technology).

We have only one port left in the FW.

Do you have any advices on design or cisco products that can do some sort of redundancy or anything that could help this setup to be more solid ?

Thank you

If you've only got one port in your firewall, no matter what you do you've got a single point of failure.

Connect firewall to switch 1, connect switch 2 to switch one - if switch 1 fails, switch 2 goes down as well.

Connect firewall to switch 2, connect switch 1 to switch 2, if switch 2 fails then switch 1 goes down as well.

Stacking won't fix this - if whichever switch you have your firewall connected to physically fails, then you're going to lose both of them, regardless of if it's stacked, linked at layer two via trunks, or routed between switches.

The only way you're goint to eliminate this is as siddhartham stated earlier - have an active/passive firewall pair, connect one to each server switch, and have appropriate failover monitoring on the firewall to fair to the backup if the primary loses its connection to the DMZ network.

Totally agree wit Darren and Siddarth. having just one FW is poor design. one of the principles of networking is availability which is achieved by having fault tolerance(HA/redundancy). Definetly speak to your manager about getting another FW.

HTH

Kishore

Vinny
Level 1
Level 1

thanks for your answers.

Just to add something, the second firewall is planned to be installed in October, in the mean time, we wanted to add some reliability on the switch side. We know if the firewall fails we lose everything, but the first step was to keep it up and running if a switch goes down.

Vincent Boulet wrote:

thanks for your answers.

Just to add something, the second firewall is planned to be installed in October, in the mean time, we wanted to add some reliability on the switch side. We know if the firewall fails we lose everything, but the first step was to keep it up and running if a switch goes down.

You've missed the point, Vincent.

You've got ONE connection out your firewall. You can connect it to ONE switch.

If the switch the firewall is connected to goes down, it doesn't *matter* what redundancy you have from the switch point of view. The firewall loses its physical conenctivity to your network - bang, no more internet access for your DMZ. The firewall will still be up and running fine - but unless you move that physical conenction to the non-failed switch, you're stuffed.

That's one scenario I didn't list - configure both switches in both racks with a port for firewall connectivity - and if the switch with the firewall in it fails, run to your rack room and change the patch to the non-failed switch. It's sneakernet networking, but at least it will *minimise* your downtime in the event the switch your firewall is connected to fails.

Cheers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: