Switch between ISP Modem and Firewalls

SOLVED
GFrazier
Building a reputation

Switch between ISP Modem and Firewalls

I haven't done this before, but I am sure this has been done on several occasions:

 

I have a client that has only 1 IP Address and limited ports to his ISP's modem - they want to setup a redundant Firewall (MX105s)... they want to place a switch in between to make this possible. 

 

I don't think this is a good idea due to adding a single point of failure into the WAN setup and I think the cost of using a switch is more than it would to just get another static IP... however... this is what they want... Any Suggestions?

1 ACCEPTED SOLUTION
cmr
Kind of a big deal
Kind of a big deal

We always get at least 3 IPs so it is just for the physical switch, if you only get one IP then I'd get a basic router to NAT the WAN interfaces of the MXs, we do this where we have to have a VDSL circuit as you'd need a modem anyway so might as well get the ISP to provide a router that also gives you multiple IPs.

View solution in original post

9 REPLIES 9
MarkB2
Here to help

If you have a switch stack southbound of the MX pair just have the ISP come in on one of those. If there is only a single port available on the ISP modern there is still the lack of redundancy if the switch it is plugged into fails, but you would at least be able to swing it over easily.

MarcP
Kind of a big deal

limited ports sound like limited LAN ports = at least two ?

 

If so, why a switch? Use VRRP on the Merakis and connect them to the router.

 

If you have only one ISP Router lan port, I´m going with @MarkB2 , possible - problem if the switch got fails.

KarstenI
Kind of a big deal
Kind of a big deal

For HA you ned two public IPs as the secondary device also needs internet-connectivity. And yes, if the ISP device only has one port, you need a switch between these devices.

PaulMcG
Getting noticed

Two public IPs are a minimum with an HA setup but if you want to use the VIP option, a 3rd public IP is also required.

cmr
Kind of a big deal
Kind of a big deal

We always put a switch in between the ISP NTE and our firewalls as in the UK you only ever get one port per service.  I generally use Cisco small business unmanaged L2 switches and have had great reliability with them.  We don't count it as a single point of failure as we have two ISP connections at each site 😉

JonP
Getting noticed

We've recently done this due to a flapping port on either the MX or the ISP router. We used an HPE Aruba switch with no config. Works well!

GFrazier
Building a reputation

So, how exactly do you configure a switch port for a WAN port then the others uplinked to the Firewalls when you just have one ISP port and one IP?  

cmr
Kind of a big deal
Kind of a big deal

We always get at least 3 IPs so it is just for the physical switch, if you only get one IP then I'd get a basic router to NAT the WAN interfaces of the MXs, we do this where we have to have a VDSL circuit as you'd need a modem anyway so might as well get the ISP to provide a router that also gives you multiple IPs.

redsector
Head in the Cloud

Wo do it the same way.

Or we use an existing Meraki switch, configuring an own VLAN to the three ports: ISP, MX1 and MX2, it´s working like an small switch, but the advantage is: it´s managed.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels