topic Re: Deploying FTD Data Center Firewall in Network Security

Deploying FTD Data Center Firewall

techno.it — Sun, 26 Apr 2020 21:01:24 GMT

Hello,

We are working on a solution over deployment of Cisco FTD, F5 Load balancers and Nexus 9K Switches ( DC Core) with following interest:

- To control and inspect the traffic from between users and servers.
- To isolate the public facing web servers sourcing from internet. Example DMZ

- The purpose of adding FTD is to integrate with AMP Cloud. We will be deploying AMP for endpoint and servers

Current deployment

PAN-FW1 PAN-FW2

| |

Servers ---- TOR Switches --- 6807 ( Core Network) --- Access Layer ( users)

At the moment we have two internet boundry firewall handling ingress/egress NAT, VPN connections

So I am looking for advise validated design and suggestions where to install the new firewalls pairs, F5 and DC Core in the path as mentioned above.

I would appreciate any feedback and suggestions

I put together a fairly current

Re: Deploying FTD Data Center Firewall

balaji.bandi — Sun, 26 Apr 2020 21:11:07 GMT

You can connect Nexus switches to your Core Switch

Core -- Nexus---FW --LB--Servers high level.

Re: Deploying FTD Data Center Firewall

techno.it — Sun, 26 Apr 2020 21:20:48 GMT

Thanks Balaji. I have couple of concerns here.

- In such deployment, Core would have default routes pointing to Nexus then FW will control the access to servers.

What about the internet traffic from users and servers ?

- Is this design for DMZ servers only ? or Internal Servers as well ?

Core -- Nexus---FW --LB--Servers

- Traffic originating from internet to Web servers will hit Internet Boundtry firewall and how it would traverse to DMZ servers

- I just need to know required traffic flow (direction, south-north or east-west), pattern.

Re: Deploying FTD Data Center Firewall

balaji.bandi — Mon, 27 Apr 2020 22:16:25 GMT

For internal users to DC Server that design works.

If you looking External Access to Internal you need to create a DMZ here. with diferent Context in FW.

So inernal users use 1 Context, External access used in Different Context.

Most of the time its hosting kind setup, Traffic North to south (this is your DMZ Setup)

East-West Traffic should have common transit point with Dynamic routes shoudl consider, so the traffic will not go to north and come back again, waste of bandwidth.

Look at some CVD guides of DC Design should help, again this all depends on how you build and expertise to fix things, Dynamic routing vs Static routing. Every design has pros and cons.

Re: Deploying FTD Data Center Firewall

techno.it — Tue, 28 Apr 2020 22:24:15 GMT

Thanks

If you can provide the useful links, that would be very grateful.

Re: Deploying FTD Data Center Firewall

balaji.bandi — Wed, 29 Apr 2020 16:45:05 GMT

here is some design guides for reference :

https://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-data-center-networking/index.html

If you are not sure, i would suggest to contact local SE or cisco partner help you, so your investment will be protect with small profession costing.,

Re: Deploying FTD Data Center Firewall

techno.it — Wed, 29 Apr 2020 18:41:46 GMT

Thank you Balaji. Great help from best professionals