DDoS Protection Discussions
cc
ciberseguridad ciberseguridad
ยทPosted in DDoS Protection Discussions
09/11/2025

Dual ISP Integration with Radware DefensePro, Cisco Catalyst 9500, and Check Point Maestro

Request for Assistance: Dual ISP Integration with Radware DefensePro, Cisco Catalyst 9500, and Check Point Maestro

We request guidance in designing and documenting the configuration required to support two upstream Internet providers through a Radware DefensePro device, while maintaining protected ingress/egress to VLAN 50 on a Cisco Catalyst 9500 switch, and enabling ISP Redundancy at the Check Point Maestro gateway.

Current Topology

  • Until now, connectivity was handled through a single UTP channel.

  • We now need to validate and use fiber modules on DefensePro, adding support for two upstream ISPs.

  • Current state:

    • ISP #1 terminates at DefensePro Port 1 (Untrusted).

    • DefensePro Port 2 (Trusted) connects to the Cisco 9500, VLAN 50.

    • DefensePro Management IP: 10.1.1.201.

  • Check Point Maestro is deployed and requires ISP Redundancy configuration.

New Objective

  • Integrate ISP #1 and ISP #2 through DefensePro using fiber ports (targeting Ports 3, 4, 5, and 7).

  • Ensure traffic is protected and passed to VLAN 50 on the Cisco 9500.

  • Allow Check Point Maestro to manage redundancy (active/active or active/standby).

Clarifications Requested

  1. How many DefensePro port pairs (untrusted/trusted) are required for dual ISP design?

  2. Should each ISP have a dedicated port pair (e.g., Port 3 โ†” Port 4 for ISP1, Port 5 โ†” Port 7 for ISP2)?

  3. Or can a single port pair support multiple ISPs using VLAN tagging?

  4. On the Cisco 9500, should we use:

    • One uplink (dot1q / logical subinterfaces for both ISPs), or

    • Separate physical uplinks per DefensePro trusted port?

  5. Best practice recommendations for Check Point Maestro ISP Redundancy when passing through DefensePro.

Expected Deliverables from Radware Support

  • Step-by-step configuration guide for DefensePro port pairs with fiber modules, commands or the way in web access in the device for check this module

    Conf-Infrphysical-1.jpg
    226.69KB

  • DPX10_config (1).txt
    25.88KB

    Best practices for VLAN design on Cisco 9500 in a dual-ISP scenario.

  • Clarification on connecting multiple trusted ports into a single VLAN vs. isolating them.

  • Validation of proposed diagrams (attached).

  • Recommendation: BGP failover vs. static routes in this architecture.

  • Confirmation that DefensePro inspection/mitigation occurs before VLAN handoff to Cisco and Check Point.

Attachments

  • Current diagram: ISP1 path โ†’ DefensePro Port1 โ†’ Port2 โ†’ VLAN 50.

  • Proposed diagram: ISP1 via Ports 3โ€“4, ISP2 via Ports 5โ€“7 (fiber). 2 ISP