Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin_Raska
Advisor
Advisor

VSX topology same as "Router on the stick"

Hello Mates,

I am looking for advice regarding topology and setup.

Currently the customer has one environment with FW where is FW connected only with one bond interface with many VLANs. Those VLANs are used by different customers for their networks like Internal, External etc.

 

They want to have the same setup with VSX where only one interface is and its Bond. Every VLAN is totally different subnet and is assigned directly to VS. This customer VLAN should be terminated on VS as Bond5.10 IP X.X.X.X.

I am not sure if this is possible to configure it like this as I have only a little experience with VSX design. To make it more complex, the HW is maestro.

I also find that Virtual Router is not supported. sk148074

01413513AllVirtual Routers are not supported.

 

So there can be only Virtual switch but I dont know how to fit in this design. Or do we need it at all? Can it work without?

I am attaching the topology and my question is if this setup is possible and supported or advice how to configure it. Thx

0 Kudos
7 Replies
Bob_Zimmerman
Authority
Authority

You only need a switch context if you want multiple VSs to talk on the same VLAN on the same interface (either physical or bond). In your topology, I don't see the same VLAN being used in two places, so you don't need a switch context.

0 Kudos
Martin_Raska
Advisor
Advisor

ok, I also think that Switch is not fitting in the design. Then there is no problem with only one physical interface(with multiple VLANs) for incoming and outgoing traffic as on the topology?

0 Kudos
Bob_Zimmerman
Authority
Authority

I would recommend using a separate physical interface for managing the VSX box.

If it's meant to be a cluster, you should also use a separate physical interface for sync. Sync should always be run through a switch, not over a simple cable connected directly between the units.

There's definitely no problem with using only one physical interface or only one bond for all VS traffic, though. Just keep in mind that tightly couples your firewall member failure domain with your switch/router failure domain.

0 Kudos
Martin_Raska
Advisor
Advisor

Its maestro, there is separate Mgmt connections and its one member from SC console view, one security group.

0 Kudos
Martin_Raska
Advisor
Advisor

I hear this first time, could you explain, please?

"Sync should always be run through a switch, not over a simple cable connected directly between the units."

0 Kudos
Chris_Atkinson
Employee Employee
Employee

For ClusterXL different topologies for the Sync network have pros and cons.

In the context of Maestro please refer:

sk168092: Maestro Dual Site configuration using a direct connection and via L2 switches

CCSM R77/R80/ELITE
Chris_Atkinson
Employee Employee
Employee

Further to Bob's comments some of these recommendations are enforced by your hardware choice being Maestro since the corresponding ports are on the orchestrators. 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events