Network Redesign
rubarb
Newbie ✭
We are redesigning our mid size network (~1500-2000 nodes) with new Spine / Leaf switches in the core connecting out to an HA pair of Sonicwall 5600 in Active/Standby mode.
Spines: S5232F-ON
Leafs: S5248F-ON
We want to terminate our vlans in the Spine switch using VRRP. But also bring the vlans into Zones on the firewall for east west traffic control. Is this possible?
We started going down the route of a VLAN trunk and setting up vlans in the sonicwall, but the link aggregation option disappears on the trunk port.
Do we want to use the redundant port option instead? The two Spines will be setup to use VLT and VRRP.
Category: High End Firewalls
0
Answers
I'll take a stab at this since no one else has...
"We want to terminate our vlans in the Spine switch using VRRP. But also bring the vlans into Zones on the firewall for east west traffic control. Is this possible?"
I don't believe the Sonicwall will like this. Anytime I've had VLANs terminated on a switch but also exist on the Sonicwall I've run into routing issues.
"Do we want to use the redundant port option instead? The two Spines will be setup to use VLT and VRRP."
It'd be your only option in an HA config, but I'm not sure it'll provide you what you want.
Some reading: https://www.sonicwall.com/support/knowledge-base/how-to-configure-link-aggregation/170505763142649/
http://help.sonicwall.com/help/sw/eng/9600/26/2/3/content/HA_AAClusteringFullMesh.htm
https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-static-link-aggregation-vlan-trunks-when-extending-networks-to-portshield-groups/170505988976495/
You should reach out to pre-sales support on this.
We setup a lab test of our equipment as a proof of concept.
The VLANS are terminating in the spine and each is using VRRP and a VRF.
This allows us to route each vlan up to the Sonicwall. (for east / west traffic inspection) Also we can route leak between vrf's if needed to bypass the firewall vlan routing. I've read the VRFs act as a way to virtualize and separate the routing tables so that it does not occur in the spine/core.
Also, I am interested in how other folks would secure (or gain visibility) on east/west traffic in a medium environment with 20+ vlans using a similar topology. We are moving off of a single core switch to a highly available spine / leaf design. The old setup is just physical interfaces acting as default gateways for the vlans all in the same zone.