I'll cut straight to it. We have a firewall in our environment that I call the "Spiderwall." I call it this because it has 8 physical interfaces on the box that each represent different subnets (internal, external, dmz, vpn, etc.)
I was told at one point, each of those physical connections went to different dedicated switches. But over time, those switches were retired and replaced with a single switch stack that (properly, imo) separates the different subnets via VLAN. So in other words, it all collapsed down and went VLAN (the way it should, again, imo.)
So the Spiderwall sits above this stack in the rack, and connects to the stack 8 different times on 8 different cables, each of those cables going to a different VLAN.
Physically, it looks a little absurd to look at.
I have been arguing that we need to replace those 8 cables with a pair of connections between the firewall and the stack, LAG them up, and configure it as a trunk. The Firewall then configures the LAG interface with sub interfaces, one for each subnet.
At that point the spider is no more, and the firewall basically would be a Router on a Stick (ROAS.) This will clean everything up imo. No more 8 separate legs all connecting to the same switch.
The firewall guy absolutely refuses to do this. He says that "Hairpinning" traffic like that will reduce the performance of the firewall by 50% for every vlan we add to the trunk. I reminded him that our monitoring tool shows we never have high utilization on any of the connections, but he kept insisting that "you are doubling the traffic on the line every time it has to go in and come back out the same physical port." He also said the "best practice" is to always use a different physical port.
What he is saying can't really be true right?
No comments:
Post a Comment