This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Looking for some advice on routing

Hello all -

I am looking for some advice on how to set up some things on our new network.

We have a new UTM220 running the updated software (which shouldn't really matter, this is more of a network architecture issue).

We have several VLANs running on our core switch (HP Procurve 5412zl). Some of these VLANs need access to the outside world, or host services the outside world will need to access. There is also a lot of traffic flowing between subnets - so to avoid loading the UTM and decrease the point of failures, the 5412zl is handling routing between most of the VLANs. The only exception is the public access VLAN, which is configured to have the UTM as the default gateway in order to help secure access to other VLANs (although I am setting up ACLs on the switch just in case someone is determined).

My question is this - I basically see 2 ways of configuring the network. Add the UTM to each of the VLANs using tagging, or add the network definition of the VLAN subnet to the UTM and create a static route to hand-off traffic to the switch to route it to the final destination. Can anyone tell me any pros/cons of each approach? Is there a "right way" or a "wrong way" here, or just a matter of preference?

Thanks!

Adam

This thread was automatically locked due to age.

Parents

0 ajrosen over 11 years ago

Barry -

I'd rather avoid the UTM being a source of failure. We are a 24x7 emergency services business, so there is really very little tolerance for downtime. If I use the UTM for basic routing then any updates and reboots of the UTM would bring down needed functionality for a time.

The question was more geared towards how the UTM would know about the other subnets - should it be ON the subnet (VLAN), or just route TO the subnet (via the core switch).

However, since I am making the core switch the default gateway for endpoints, and the UTM the default gateway for the switch, I decided not to cross pathways by having the UTM on the individual VLANs. This would result in asymetric routing, which may not be a big issue, but could lead to problems diagnosing routing issues down the road. To illustrate, with the UTM on each VLAN but not the default gateway, an outbound path from a device on the network to the internet would be:
Device --> Switch --> UTM --> Internet
but the return path would be
Internet --> UTM --> Device.

I think I prefer both incoming and outgoing paths to be reverse of each other, so I am going to stick with routing to the subnet via the switch.

Thanks

Adam
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ajrosen over 11 years ago

Barry -

I'd rather avoid the UTM being a source of failure. We are a 24x7 emergency services business, so there is really very little tolerance for downtime. If I use the UTM for basic routing then any updates and reboots of the UTM would bring down needed functionality for a time.

The question was more geared towards how the UTM would know about the other subnets - should it be ON the subnet (VLAN), or just route TO the subnet (via the core switch).

However, since I am making the core switch the default gateway for endpoints, and the UTM the default gateway for the switch, I decided not to cross pathways by having the UTM on the individual VLANs. This would result in asymetric routing, which may not be a big issue, but could lead to problems diagnosing routing issues down the road. To illustrate, with the UTM on each VLAN but not the default gateway, an outbound path from a device on the network to the internet would be:
Device --> Switch --> UTM --> Internet
but the return path would be
Internet --> UTM --> Device.

I think I prefer both incoming and outgoing paths to be reverse of each other, so I am going to stick with routing to the subnet via the switch.

Thanks

Adam
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data