1

I have a client that has purchased two SonicWall NSA 5600 and they would like to run 2 WAN connections from separate providers into 2 sonicwalls into two cisco switches so they can achieve full redundancy and failover. What I am confused about is what is needed for this kind of setup. If I understand correctly, one port per router would connect into each firewall. Both switches would have 4 VLANS, one for WAN, one for servers,one for phones and one for client workstations. I would think that spanning tree would need to be enabled for redundancy at the switch level or inter switch link?

Which VLANs would need to be tagged and what VLAN should contain the HA heartbeat cable?

I am having a hard time wrapping my head around how to do this. Any assistance would be greatly appreciated. Thanks! -Sylus

sylus
  • 11
  • 1

1 Answers1

1

Following the comment, there is a better preview of what you need.

You miss one detail, does you have bought the Active/Active for the HA ?

  • With it you need two interface mapped to make the HA. One for FailOver, and the second will allow Active/Active mode, that the running state will be know by each firewall, so it's a hot move without interruption for any internet transaction. Without that licence and configuration the router work in Active / Passive mode and the state is lost if the active's switch. It's not really important if your user do simple youtube.com streaming or such, but for ssl transaction, or like RDP session the user will see an interuption and will be maybe asked to re-login

For the VLAN you route by your two interface you need that :

  • Make a portshield group for those two ports on each unit.
  • Make each VLAN know by the interface for the route back.

[Modem Cable 1] --- [Switch VLAN Internet 1]

[Modem Cable 2] --- [Switch VLAN Internet 2]

[NSA 1 5600 WAN 1] --- [Switch VLAN Internet 1]

[NSA 1 5600 WAN 2] --- [Switch VLAN Internet 2]

[NSA 1 5600 LAN 1] (portshield - bridging) --- [Switch 1 Trunk (LAN VLAN)] (spanning-tree active) >
[NSA 1 5600 LAN 2] (portshield - bridging) --- [Switch 2 Trunk (LAN VLAN)] (spanning-tree active)

[NSA 2 5600 WAN 1] --- [Switch VLAN Internet 1]

[NSA 2 5600 WAN 2] --- [Switch VLAN Internet 2]

[NSA 2 5600 LAN 1] (portshield - bridging) --- [Switch 1 Trunk (LAN VLAN)] (spanning-tree active)

[NSA 2 5600 LAN 2] (portshield - bridging) --- [Switch 2 Trunk (LAN VLAN)] (spanning-tree active)

[NSA 1 xX] --- [NSA 2 xX] One link for basic HA/FailOver. (xX is the interface you choose to be used for HA) (For basic HA (Active/Passive))

[NSA 1 xX] --- [NSA 2 xX] A second HA uplink if you can do Active/Active (xX is the interface you choose to be used for HA)

And dont forget to stack your NSA 5600 with the HA mode.

A bit like shown in that picture

enter image description here

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • Thank you for the response yagmoth555. This makes a little bit of sense but what about the workstation vlans? Should the workstation vlan be tagged for internet 1 and internet 2? So will the switches only need vlans or will an inter switch link or spanning tree need to be enabled or just a trunk between switches? – sylus Mar 29 '17 at 15:22
  • Also there will also need to be a site to site vpn running as well. How can the VPN stay up without some kind of DNS load balancing? For example internet 1 goes down, I do not see a way to have the vpn stay up on internet 2 without BGP or something like shared IP addresses between the WAN providers. What am I missing here? Thanks again for your help with this. – sylus Mar 29 '17 at 15:22
  • 1, no, the internet vlan allow your two router to access the modem cable, but as your router will work in HA's mode, only one will use the feed – yagmoth555 Mar 29 '17 at 16:04
  • 1, you keep the workstation vlan to another vlan, to be used as your router lan – yagmoth555 Mar 29 '17 at 16:05
  • 2, create both vpn tunnel, if one fail the other will go up – yagmoth555 Mar 29 '17 at 16:06
  • 2, the dns balancing is more if you got a service, like a webserver, but that it's another big topic – yagmoth555 Mar 29 '17 at 16:07
  • So for the workstation vlan and camera vlan, would I tag them into internet1 vlan as well as internet2 vlan and use the firewalls virtual IP address as the gateway IP? Thanks. – sylus Mar 29 '17 at 17:20
  • @sylus no. that vlan is to share the modem cable, does your workstation got a public ip or your camera does ? for the virtual gateway yes, but it will be another connection to your switch from your sonicwall, not shown into my drawing. – yagmoth555 Mar 29 '17 at 17:27
  • the cameras and the workstations have private IP addresses. so how would I get the camera vlan and workstation vlan to get out to the internet? Would a static route have to be made for each of the vlans? – sylus Mar 29 '17 at 17:46
  • You mentioned the virtual gateway would need an extra connection to the switch from the sonic wall so does that mean 1 addtional cable from sonicwall1 to switch1 and from sonicwall1 to switch 2 and additional cable from sonicwall2 to switch1 and switch2? – sylus Mar 29 '17 at 17:58
  • Yes, those cables would need spanning tree activated in your switch – yagmoth555 Mar 29 '17 at 18:02
  • Thanks. It all makes sense now but how to get the traffic out of the workstation vlans and camera vlans without tagging them so they can get to the internet? Thanks for all your help on this. – sylus Mar 29 '17 at 19:10
  • @sylus If you split your lan, in those VLAN you will have to create a dhcp and route from your sonicwall, that mean you will have 4x cable per NSA (2x vlan pc, 2x vlan camera) – yagmoth555 Mar 29 '17 at 19:16
  • Thanks yagmoth555. Interesting. So one would be outgoing from the pc vlan to NSA1 and one from pc vlan to NSA 2 and one would be outgoing from the camera vlan to NSA1 and one from camera vlan to NSA 2? Is one cable per vlan for outbound to NSA and the other for inbound to the switch per vlan or is this for link redundancy? Thanks again. – sylus Mar 29 '17 at 20:27
  • @sylus yes, sorry, badly read your comment at first – yagmoth555 Mar 29 '17 at 20:43