Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Design thought. Looking to attach 3-buildings (separate switches) to a SG135W.

Wanting subnet isolation of the buildings due to operation in each.

1 = is HA viable for one of those paths?

2 = is it viable for DHCP to be assigned separately to all three?

cs



This thread was automatically locked due to age.
Parents
  • Chasster123,


    can you add more information about what you are trying to achieve?

    Thanks.

  • There is a single location for this thought. There are 3 buildings at the location. Functionality of each building is separate - same company.

    For security point, and best performance, I'm exploring putting the switches (one for each building) in on separate ports of the SG135W.

    1 = LAN, 2 = eth4 for building 2, 3 = HA for building 3.

    With each on separate subnets this limits access to the Domain Server as the only common function at the location.

    Charles Sterling CISSP

Reply
  • There is a single location for this thought. There are 3 buildings at the location. Functionality of each building is separate - same company.

    For security point, and best performance, I'm exploring putting the switches (one for each building) in on separate ports of the SG135W.

    1 = LAN, 2 = eth4 for building 2, 3 = HA for building 3.

    With each on separate subnets this limits access to the Domain Server as the only common function at the location.

    Charles Sterling CISSP

Children
  • If I understand the question, you have to create 3 zones, LAN, Building_2 and HA (as DMZ zone).

    For each zone, assign a ethernet card. Otherwise you can separate lan traffic using VLAN and using a dedicated port for HA.

  • Made it to the point that you echo'd.

    Have separate DHCP assigned to each and a device on each is illustrating unique IP addresses per the DHCP definition.

    You seem to confirm that this is a valid method to establish an isolated environment.

    In each case data is not flowing, yet State / Link are UP.

    Have used ANY style rule to make a minimum firewall rule and have alternately replaced ANY with these and still now data flow.

    (dns, http, https, web browsing)

    Seems like in past discussions using ANY is not always the best solution but I'd think that using it for an initial config should be OK.

    Charles Sterling CISSP

  • I ave a configuration where multiple VLANs and multiple Zones are in place and everything is working with no issue. You have to create Policy rules to allow traffic from one zone to another.

    For DHCP you can have dhcp for each zone. In my case, XG is releasing IPs for every VLAN (zone in this case). At the moment you cannot have DHCP server and DHCP relay at the same time. They will remove this limitation soon.

  • Additional feedback.

    Each DHCP is separate and working per each port.

    Firewall rules connect each network - ANY - WAN.

    Same applies for Masq (4 rules to include Internal and Wireless).

    Web filtering includes each as Allowed network.

    The wireless (internal) is working as it is set pretty much the same as I have the other ports.

    In this config eth 2 & 4 do not flow traffic.

    Have power cycled all items.

    Charles Sterling CISSP

  • Chasster123,

    can you share your Policy rules configuration? Also Zones and Interfaces config.

    Thanks.