I have a client that has purchased two SonicWall NSA 5600s and they would like to run two WAN connections from separate providers into two SonicWalls into two Cisco switches so that they can achieve full redundancy and fail-over.
What I am confused about is what is needed for this kind of setup?
If I understand correctly, one port per router would connect into each firewall. Both switches would have 4 VLAns, one for WAN, one for servers, one for phones, and one for client workstations. I would think that spanning tree would need to be enabled for redundancy at the switch level or inter-switch link, possibly LACP between the switches?
Which VLANs would need to be tagged and what VLAN should contain the HA heartbeat cable?
I am having a hard time wrapping my head around how to do this. Any assistance would be greatly appreciated.
Best Answer
You are mixing some concepts about HA, redundancy, port-channels and VLAN. Let's try to define every part of this network design.
HA Firewall
You need to conect 2 firewalls directly with one (or two) cables back-to-back for Control & Data. This consumes one (or two) ethernet ports in every firewall.
This connection is just "a HA link". You don't need to define any special config about VLAN, addressing or nothing.
Aditionally, you need to replicate exactly every cable in Primary Firewall and Secondary Firewall. I mean, if your FW1 X0 goes to VLAN 10 untagged in the core, you need to put FW2 X0 to same VLAN 10 untagged.
WANs
Tipically, every WAN connection has a cable from ISP device. But, remenber you need 2 cables for every interface in the Firewall. You need Layer 2 visibility for ISP Router, FW1-X1 and FW2-X1 (assuming default WAN). You can achieve this in several ways but 2 more typical:
About the second WAN, you just need to replicate the physical connection in other router/VLAN/FW port.
Just remember that your are aproaching 2 different things: device/link redundancy with double cable to ISP and WAN failover using 2 differente ISP providers.
Internal connections
You have several LANs understood as "Users", "VoIP", "DMZ" and so on. Each of these LANS have a logical interface in the firewall. This is interface can be unique for the LAN (untagged frames from core to FW) or shared between LANS (FW subinterfaces and tagged frames from core to FW).
In these two scenarios, you need to make again a double cable connection from FW to Cores. For example, if you use X0 for LAN_Users and your VLAN Users have ID 10. Then you need to connect a cable from FW1-X0 to a port in core as acces VLAN 10 and another cable from FW2-X0 to a another port in core as access VLAN 10. No need for STP because you are defining FW as L3 ports.
The best approach in to try to plug every firewal in a different device BUT in the same forwarding plane. I mean, you can have a single device, a stack or a MLAG with VLT/VPC technologies. In the first case, plug the cable to same device. In the other two cases, distribute your cables to different switches.
About port-channels, it's an extra link redundancy but in my opinion is unworthy to waste FW ports in this HA scenario. If a device/link fails, it just trigger a FW failover and you will work trought the other Firewall.