Internal & perimeter firewall topology: Different Link aggregation between a PaloAlto Perimeter and an Internal Firewall to Intermediate Switch

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Internal & perimeter firewall topology: Different Link aggregation between a PaloAlto Perimeter and an Internal Firewall to Intermediate Switch

L1 Bithead

I have an HA Active/Passive Perimeter firewall of PA820 that connects directly with a DMZ ToR switches and a second intermediate Switch stack(Dell n3024 Switches with 2x10G stack cable) which goes on to connect with an internal forigate (FG600 series) firewall. I want to upgrade the link speed from the internal firewall to the Switch as well as the Perimeter firewall to this same switch stack. Unfortunately, the FortiGate has run out of Cu ports and left only with Fiber SFP port. So If I have to leave this one as is i.e. only 2x1G Cu UTP to the switch. But the internal firewall has plenty of port space to expand the link aggregation from it to the switch so I was thinking of upgrading this from 2x1G to 4 or 8x1G. What is bothering me though is what would happen if a high-volume traffic as this connection is currently a point to point one in a nutshell if one removes the switch from the picture. How well will the interconnect/middle switch manage its job as one end has 4G link aggregate and the other end with 2G link aggregate?

Appreciate all your insights!

2 REPLIES 2

Cyber Elite
Cyber Elite

Hello,

Why use the fortigate at all? Redesign the network with the PAN at the 'center', e.g. all traffic passing through it. Are there bandwidth constraints now? You can always have 2x ports in an aggregate from the PAN to the switches. Trunk all vlans to the PAN and have the rules there. 

 

Just a thought.

L4 Transporter

Hi

 

As @OtakarKlier   has said I am not sure why you wouldn't be using the PA in place of the Fortigate, however to answer your question, I imagine that the issue will come when you start to push more than the 2Gb through that link (which is now possible as your upstream is now 4Gb) then the switch will have no option but to queue the traffic and as the interface buffers become full it will start to tail drop the packets, so if you have critical or connection sensitive traffic you would have to control the flow through Qos.

Hope that helps.

PCCSA PCNSA PCNSE PCSAE
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!