Community discussions

MikroTik App
 
RLShawn
just joined
Topic Author
Posts: 1
Joined: Mon Oct 24, 2022 8:21 pm

CRS518-16XS-2XQ For HA setup

Mon Oct 24, 2022 9:02 pm

I'm looking to bounce this idea off some folks. I am moving from a single Palo Alto PA-5220 to an active/active HA pair and need a solution to light and share circuits with both firewalls. The PA-5220 has 20 interfaces in use with 10gbps bidi SFP+ modules which light individual circuits for a WAN. This allows us to enforce traffic inspection for all traffic as it moves between VLANS and buildings. I need to split these 20 interfaces so that both PA-5220 devices can see the traffic in an active/active firewall cluster. While splitting this traffic out we still want the VLANs to terminate and route on the PA-5220s, not on a switch. This is so we can maintain visibility and IPS inspection of the traffic . Think of my requirement as needing 20, 3 port switches, 1 for each location on the WAN. The switch should not care what traffic or VLANs come across it, it just needs to keep the traffic inside it's group of 3 interfaces

Since we will need 20 ports to each PA-5220 and 20 ports out to the WAN fiber, my plan was to use 4 , CRS518-16XS-2XQ switches in order to have 60 interfaces.

Here is a mock up of what I think needs to happen. This is only for 2 out of the 20 locations but hopefully illustrates where I am in the process. Setup 5 bridges per switch, 3 interfaces in each bridge with port isolation configured. I would replicate this over the 4 switches which should get me to 60 interfaces and 20 bridge groups .
/interface bridge
add comment="To Building #1 and Int 5 on Palos "name=bridge-building1
/interface bridge port
add comment="To Building #1" bridge=bridge-building1 interface=ether1
add comment="To PA-5220_1 int 5" bridge=bridge-building1 interface=ether2
add comment="To PA-5220_2 int 5" bridge=bridge-building1 interface=ether3
/interface bridge filter

/interface bridge
add "To Building #2 and Int 6 on Palos " name=bridge-building2
/interface bridge port
add comment="To Building #2"bridge=bridge-building2 interface=ether4
add comment="To PA-5220_1 int 6" bridge=bridge-building2 interface=ether5
add comment="To PA-5220_2 int 6" bridge=bbridge-building2 interface=ether6
/interface bridge filter

/interface ethernet switch port-isolation
set ether1 forwarding-override=ether2,ether3
set ether2 forwarding-override=ether1,ether3
set ether3 forwarding-override=ether1,ether2,

set ether4 forwarding-override=ether5,ether6
set ether5 forwarding-override=ether4,ether6
set ether6 forwarding-override=ether4,ether5

Who is online

Users browsing this forum: anav, infabo, JesusUve, kolopeter, menyarito and 92 guests