View Only
last person joined: yesterday 

Expand all | Collapse all

How to segregation the internet between two Firewall with only one Core switch

Jump to Best Answer
This thread has been viewed 26 times
  • 1.  How to segregation the internet between two Firewall with only one Core switch

    Posted Oct 06, 2021 07:59 AM
      |   view attached
    Greetings All, 

    I need your urgent support.

    As you can find through the attached file, we need to segregate the internet between two firewalls with interconnection with only one core switch

    on the core switch, we have created the VLANs for interconnection with the access switches in the building 
    we need to assign one line of the internet for a group of the buildings, and another line will assign to another group of the building without any changes in the VLANs 

    the question is, how to segregation the internet without any changes in the VLANs?? as connected to the same servers & controller.

    Please share your advice

    thank you in advance.



  • 2.  RE: How to segregation the internet between two Firewall with only one Core switch
    Best Answer

    Posted Oct 06, 2021 10:57 AM
    Hello Elsayed, probably the only solution is to use PBR Policy Based Routing...since you can't change the VLANs...the only way to route differently packets egressing from the very same VLAN (although coming from different access switches...) is to use PBR. See here just a first example....probably you will need something more complex to fit your real needs.

    The other way would be to use VRF (Virtual Routing and Forwarding) but your Core Switch (HP ProCurve 5400zl I guess) doesn't support VRF.

    Davide Poletto

  • 3.  RE: How to segregation the internet between two Firewall with only one Core switch

    Posted Oct 07, 2021 03:25 AM
    Greetings Davide, thank a lot you for your answer.

    please could you add one more example from your side?

    Are the configuration will apply in the core switch or on access switches in the field??

    I need more clarification for the below configuration :

    Rack2sw1(config)# class ipv4 TCP
    Rack2sw1(config-class)# match tcp eq 80
    Rack2sw1(config-class)# match tcp eq 22
    Rack2sw1(config-class)# match tcp eq 23 is it the access switches IP address ?? is it the gateway?

    Thank you for your support.


  • 4.  RE: How to segregation the internet between two Firewall with only one Core switch

    Posted Oct 07, 2021 04:14 AM
    Hello Elsayed, the PBR configuration must be deployed on the IP Routing device used by your clients as their Gateway (in your case this IP Routing device is your Core Switch HP ProCurve 5400zl which is the router for all of your clients connected through your access switches, isn't it?).

    In simple words the PBR lets you to control who (source) goes where (destination) through which particular gateway (your upstream router(s) or firewall(s)) to do what (protocol) and the way PBR controls who, where, through and what (considering also VLANs) is defined by creating traffic matching classes and defining (and applying) traffic routing policies using those traffic matching classes.

    In the textual example from HPE I linked above, the is a source, a client IP private address I suppose (say a PC, as example) <- in the example I believe this PC could be connected via Access switches or directly to a Core Switch, it doesn't matter, since generally Access Switches are connected to their Core Switch via Layer 2 links so they haven't a role in routing (which is due on the Core), they just forward packets on relevant VLAN, the Core performs the routing between VLANs and between them and the Next-Hop Gateway(s) when necessary (this via classic static routing and/or via PBR).

    In the same example the public IP Address is a destination (Not sure if a FQDN name can be used to specify a destination...so, IMHO, your PBR approach can only follow this route: filter who is the source to apply a particular route to Internet since the destination - in your case, the entire Internet behind your ISP Routers/Firewalls - can't simply be mapped with public IP addresses and you will need to fallback using 0/0 = Any via a Next-Hope Gateway; correct me if I'm wrong).

    In other words...let me suppose your PC-1 client (with IP-1 address) belonging to VLAN x should reach Internet (0/0 = Any destination) using an available Gateway (Next-Hop), let me say via Fortigate-1...while PC-2 client (with IP-2 address) belonging to the same VLAN x should reach Internet (0/0 = any destination) using another available Gateway (Next-Hop) instead, let me say via Fortigate-2...then you should filter by source (IP-1 versus IP-2) and then apply a routing for IP-1 and another routing policy for IP-2, each routing policy shall use a particular Fortigate firewall (Fortigate-1 versus Fortigate-2) as its preferred Next-Hop-Gateway to let packets go to their destinations.

    Hope to be not wrong with this approach.

    This example (although it's in a language - Chinese - its meaning is easily understandable) shows you what I meant and it also should clarify you how to proceed/test/adapt for your scenario.

    Davide Poletto

  • 5.  RE: How to segregation the internet between two Firewall with only one Core switch

    Posted Oct 07, 2021 11:52 AM
    Hi Elsayad,

    • Why do you need to "split" the internet feed for clients that share the same vlan?
    • Are the firewalls configured in a HA cluster?
    When it's a HA cluster i could connect both internet connection to both firewalls and use SD-WAN to load-balancing the internet feeds or use policy based routing. Example of a HA configuration below (with one or more internet feeds) , maybe it helps you.


    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own