I haven't done this before, but I am sure this has been done on several occasions:
I have a client that has only 1 IP Address and limited ports to his ISP's modem - they want to setup a redundant Firewall (MX105s)... they want to place a switch in between to make this possible.
I don't think this is a good idea due to adding a single point of failure into the WAN setup and I think the cost of using a switch is more than it would to just get another static IP... however... this is what they want... Any Suggestions?
Solved! Go to solution.
We always get at least 3 IPs so it is just for the physical switch, if you only get one IP then I'd get a basic router to NAT the WAN interfaces of the MXs, we do this where we have to have a VDSL circuit as you'd need a modem anyway so might as well get the ISP to provide a router that also gives you multiple IPs.
If you have a switch stack southbound of the MX pair just have the ISP come in on one of those. If there is only a single port available on the ISP modern there is still the lack of redundancy if the switch it is plugged into fails, but you would at least be able to swing it over easily.
limited ports sound like limited LAN ports = at least two ?
If so, why a switch? Use VRRP on the Merakis and connect them to the router.
If you have only one ISP Router lan port, I´m going with @MarkB2 , possible - problem if the switch got fails.
For HA you ned two public IPs as the secondary device also needs internet-connectivity. And yes, if the ISP device only has one port, you need a switch between these devices.
Two public IPs are a minimum with an HA setup but if you want to use the VIP option, a 3rd public IP is also required.
We always put a switch in between the ISP NTE and our firewalls as in the UK you only ever get one port per service. I generally use Cisco small business unmanaged L2 switches and have had great reliability with them. We don't count it as a single point of failure as we have two ISP connections at each site 😉
We've recently done this due to a flapping port on either the MX or the ISP router. We used an HPE Aruba switch with no config. Works well!
So, how exactly do you configure a switch port for a WAN port then the others uplinked to the Firewalls when you just have one ISP port and one IP?
We always get at least 3 IPs so it is just for the physical switch, if you only get one IP then I'd get a basic router to NAT the WAN interfaces of the MXs, we do this where we have to have a VDSL circuit as you'd need a modem anyway so might as well get the ISP to provide a router that also gives you multiple IPs.
Wo do it the same way.
Or we use an existing Meraki switch, configuring an own VLAN to the three ports: ISP, MX1 and MX2, it´s working like an small switch, but the advantage is: it´s managed.