PROBLEM:
Customer wishes to implement a 6 switch / 2 Firewall FWLB + DMZ scenario.

Requirements:

Web servers reside on the DMZ. They must be able to access the Corprate Network, and the Internet.

Coporate Network traffic may access the DMZ, but must not be passed to the Internet.

Internet traffic may access the DMZ, but must not be allowed in the Corporate Network.

No SLB configuration other than what is needed for FWLB is necciarry.

IP address ranges to be used:

Dirty Network:	200.0.0.0/24
DMZ		200.1.0.0/24
Clean Network:	200.2.0.0/24

Network must be able to be moved to a 'Bucher Box' type FWLB in case of L2 switch failures.


SOLUTION:

See attached Visio. 

SLB must be enabled (redirect filters).
VRRP must be enabled (Default gateway for external devices).
RIP1 must be disabled.
STP must be disabled.

2 Vlans on each switch, one with the 200.x.x.x address appropriate for that switch, and one with the private address range appropriate for that switch.

Private address ranges were assigned to the Firewalls, and the Alteon switch interfaces facing those firewalls. Static routes were set up as follows:

All routes to other Alteon interfaces, thru the firewalls, are created with a 255.255.255.255 Mask. When creating these routes, these rules were used:

If the destination IP ends in an ODD bit, route thru Firewall A.
If the destination IP ends in an EVEN bit, route thru Firewall B.

Redirect filters set up on each switch as follows:

Alteon A:	Redirect all traffic to Alteon C interface thru Firewall A
		Redirect all traffic to Alteon D interface thru Firewall B

Alteon B:	Redirect all traffic to Alteon C interface thru Firewall A
		Redirect all traffic to Alteon D interface thru Firewall B

Alteon C:	Redirect Internet traffic to Alteon A interface thru Firewall A
		Redirect Internet traffic to Alteon B interface thru Firewall B

		Redirect Corporate traffic to Alteon E interface thru Firewall A
		Redirect Corporate traffic to Alteon F interface thru Firewall B

Alteon D:	Redirect Internet traffic to Alteon A interface thru Firewall A
		Redirect Internet traffic to Alteon B interface thru Firewall B

		Redirect Corporate traffic to Alteon E interface thru Firewall A
		Redirect Corporate traffic to Alteon F interface thru Firewall B

Alteon E:	Redirect all traffic to Alteon C interface thru Firewall A
		Redirect all traffic to Alteon D interface thru Firewall B

Alteon F:	Redirect all traffic to Alteon C interface thru Firewall A
		Redirect all traffic to Alteon D interface thru Firewall B

Redirect filters must be applied on all ports connected to 200.x.x.x addresses. 
Proto VRRP allow filters must be on all ports connected to 200.x.x.x addresses.