3

I currently have planned

2 x uplinks (HSRP Active/Standby)
2 x pfsense firewalls (Carp Enabled)
2 x layer2 switches

Please criticize or offer help on the correct way to do this. I have a feeling im missing a valid point of simple networking.

The firewalls bridge the links EXT to INT, and the INT links are using LAGG for redundancy

Arenstar
  • 3,592
  • 2
  • 24
  • 34
  • Are your uplinks routing subnets to a single IP (CARP)? Are you trunking any VLANs to the L2 switches (do you need VLAN redundancy)? Your diagram looks like you'll be relying on STP, which would be a potential issue (STP loops happen just when you don't want them to!). – Ben Lessani Mar 21 '12 at 13:26
  • The Uplinks are routing an entire public block /25 and they are using HSRP. THe firewalls however communicate independantly on a seperate line using CARP. Is STP really that bad?? Any suggestions on a better alternative???? – Arenstar Mar 21 '12 at 14:11
  • Do you not have a glue block for the sole purpose of routing your /25 - or are you planning on subnetting that yourself? Also, what is the intention for this, is it for a LAN/re-selling hosting etc. – Ben Lessani Mar 21 '12 at 14:17
  • noo.. im using the whole block :) its a gateway to a very large cluster of servers in our datacenter. – Arenstar Mar 21 '12 at 14:43
  • Are you planning on 1:1 NAT'ing all the IPs then? Otherwise, your firewalls won't be doing much? I would have thought a `/29` glue block for routing, then route your `/25` to that glue block, then present your `/25` in a LAN/VLAN behind the FWs – Ben Lessani Mar 21 '12 at 14:46
  • The firewalls are doing alot.. it filters all the traffic, packet inspection, intrusion detection, amongst other stuff. they are transparent.. Please explain your glue block and its benefits. – Arenstar Mar 21 '12 at 17:15

0 Answers0