I am looking for some expert networking advice on what would be "best practice" if I wanted to achieve the goal below based on the available equipment we have.
Equipment:
- SonicWALL TZ 105
- HP V1910-48G
Goal(s):
- 2x external subnet VLANs that can provide service to internet through DNAT from SonicWALL i.e. 192.168.1.0/24 & 192.168.10.0/24.
- Hosts in these two external subnets can reach the internet.
- Hosts in these two external subnets can route / communicate to each other.
- There will be other "private" subnet VLANS (storage, backup, management, etc.) but these of course do not need to be externally route-able or reachable.
I have read two trains of thought on how to set this up so far.
The first is to "hairpin" route through the SonicWALL by creating sub-interfaces (VLAN-aware) ports on the SonicWALL and trunk to the switch. I believe this is called Router-on-a-stick?
The second is to create a separate "routing" domain (subnet) between the switch and firewall so there would effectively be three subnet VLANS: 192.168.0.0/24 between firewall and switch and the aforementioned two inter-VLAN subnets 192.168.1.0/24 and 192.168.10.0/24.
I probably clobbered those examples and got some terminology wrong but basically, what would best practice be to ensure security, scalability, etc.? Also, I would not mind knowing the expedient set up just in case I cannot get it set up "proper".
P.S. So far I have tried the former set up but have only been successful on getting one of the external subnet VLANS to be able to reach the internet.
Best Answer
It kind of depends on how much data you will be moving between these two external subnets. If you allow the HP to route directly between those subnets, you can have as many 1GB streams between them as you have ports configured for them. With "router-on-a-stick" (I've always called it vlan-on-a-stick, but same concept), you would be limited to just 1GB in total throughput between the vlans (leaving out the possibility of doing an lacp trunk between the SonicWALL and the HP).
In doing this method, the third vlan would be considered a "transit network", and would make it easier down the road as your network grows to implement a dynamic routing protocol, or to add more routers into the network, if the need ever arises.
The HP switch would be acting as your layer 3 core, and you would have an IP address in each of the 3 vlans. The SonicWALL would need only an access port to the transit network, and it's own IP on that network.
From there, a default route statement in the HP pointing to the SonicWALL's transit net ip address, and two static routes in the SonicWALL (one for each of your 'external' subnets) pointing back at the HP's transit net IP.
The easy button is to simply run a vlan trunk to the SonicWALL, and put an address on each of the vlans you want to route for. I've done it this way in the past, and if you don't plan on heavy traffic, it's perfectly viable, and pretty easy to configure.
If you could post some of your route statements in your attempts at setting up the transit net, I'm sure someone could help you get that straightened out.