topic Re: VSX topology same as "Router on the stick" in Firewall and Security Management

VSX topology same as "Router on the stick"

Martin_Raska — Thu, 01 Sep 2022 08:58:09 GMT

Hello Mates,

I am looking for advice regarding topology and setup.

Currently the customer has one environment with FW where is FW connected only with one bond interface with many VLANs. Those VLANs are used by different customers for their networks like Internal, External etc.

They want to have the same setup with VSX where only one interface is and its Bond. Every VLAN is totally different subnet and is assigned directly to VS. This customer VLAN should be terminated on VS as Bond5.10 IP X.X.X.X.

I am not sure if this is possible to configure it like this as I have only a little experience with VSX design. To make it more complex, the HW is maestro.

I also find that Virtual Router is not supported. sk148074

01413513

All

Virtual Routers are not supported.

So there can be only Virtual switch but I dont know how to fit in this design. Or do we need it at all? Can it work without?

I am attaching the topology and my question is if this setup is possible and supported or advice how to configure it. Thx

Re: VSX topology same as "Router on the stick"

Bob_Zimmerman — Thu, 01 Sep 2022 15:36:16 GMT

You only need a switch context if you want multiple VSs to talk on the same VLAN on the same interface (either physical or bond). In your topology, I don't see the same VLAN being used in two places, so you don't need a switch context.

Re: VSX topology same as "Router on the stick"

Martin_Raska — Fri, 02 Sep 2022 06:58:07 GMT

ok, I also think that Switch is not fitting in the design. Then there is no problem with only one physical interface(with multiple VLANs) for incoming and outgoing traffic as on the topology?

Re: VSX topology same as "Router on the stick"

Bob_Zimmerman — Fri, 02 Sep 2022 14:15:18 GMT

I would recommend using a separate physical interface for managing the VSX box.

If it's meant to be a cluster, you should also use a separate physical interface for sync. Sync should always be run through a switch, not over a simple cable connected directly between the units.

There's definitely no problem with using only one physical interface or only one bond for all VS traffic, though. Just keep in mind that tightly couples your firewall member failure domain with your switch/router failure domain.

Re: VSX topology same as "Router on the stick"

Chris_Atkinson — Fri, 02 Sep 2022 14:25:37 GMT

Further to Bob's comments some of these recommendations are enforced by your hardware choice being Maestro since the corresponding ports are on the orchestrators.

Re: VSX topology same as "Router on the stick"

Martin_Raska — Fri, 02 Sep 2022 14:32:42 GMT

Its maestro, there is separate Mgmt connections and its one member from SC console view, one security group.

Re: VSX topology same as "Router on the stick"

Martin_Raska — Mon, 05 Sep 2022 09:43:40 GMT

I hear this first time, could you explain, please?

"Sync should always be run through a switch, not over a simple cable connected directly between the units."

Re: VSX topology same as "Router on the stick"

Chris_Atkinson — Mon, 05 Sep 2022 09:47:43 GMT

For ClusterXL different topologies for the Sync network have pros and cons.

In the context of Maestro please refer:

sk168092: Maestro Dual Site configuration using a direct connection and via L2 switches