https://community.cisco.com/t5/network-security/fpr-3105-migrating-2-subnets-in-same-zone/m-p/5233310#M1118010 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DIA.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/235299iE4BAFE133477B170/image-size/large?v=v2&amp;px=999" role="button" title="DIA.png" alt="DIA.png" /></span></P> Fri, 06 Dec 2024 09:04:41 GMT ManadarDesai2895 2024-12-06T09:04:41Z https://community.cisco.com/t5/network-security/fpr-3105-migrating-2-subnets-in-same-zone/m-p/5233268#M1118008 <P>Dear Community,</P><P>We have 2 server subnets "vlan 130 -10.72.12.0/25" &amp;&nbsp; "vlan 140 -10.72.12.128/25" configured as SVIs on L3 switch. Both these vlans are working as a part of inter-vlan routing on L3 switch without any restrictions. Now as a part Segmentation project we need to configure L3 interfaces on FPR-3105(FTD image) interfaces to isolate the unwanted access from other vlans from Core Switch.</P><P>As we don't have exact communication required between servers configured on these 2 server vlans, can we create 2 different interface for the routing &amp; keep them assigned under same security zone as "SRV". Will this enable these subnets to talk with each other without dropping any traffic between them?</P><P>&nbsp;</P> Fri, 06 Dec 2024 07:35:39 GMT https://community.cisco.com/t5/network-security/fpr-3105-migrating-2-subnets-in-same-zone/m-p/5233268#M1118008 ManadarDesai2895 2024-12-06T07:35:39Z https://community.cisco.com/t5/network-security/fpr-3105-migrating-2-subnets-in-same-zone/m-p/5233279#M1118009 <P>Providing network diagrams of how the network is now and what you are trying to achieve will help us understand the situation better.</P> <P>That being said, You can add the VLAN 130 and 140 to sub-interfaces on the FTD3105 and both of these can be members of the same security zone.&nbsp; you would still need to allow the traffic between these two VLANs in access rules, this is not allowed by default even though they are in the same security zone.</P> <P>To identify what ports are required between the server zones and from client to server zone for that matter, you can implement a firewall analyzer software such as AlgoSec and send firewall connection syslogs to it.&nbsp; It will analyze the connections and provide information on how to start tightening up access rules that are too general.</P> Fri, 06 Dec 2024 08:06:47 GMT https://community.cisco.com/t5/network-security/fpr-3105-migrating-2-subnets-in-same-zone/m-p/5233279#M1118009 Marius Gunnerud 2024-12-06T08:06:47Z https://community.cisco.com/t5/network-security/fpr-3105-migrating-2-subnets-in-same-zone/m-p/5233310#M1118010 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DIA.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/235299iE4BAFE133477B170/image-size/large?v=v2&amp;px=999" role="button" title="DIA.png" alt="DIA.png" /></span></P> Fri, 06 Dec 2024 09:04:41 GMT https://community.cisco.com/t5/network-security/fpr-3105-migrating-2-subnets-in-same-zone/m-p/5233310#M1118010 ManadarDesai2895 2024-12-06T09:04:41Z https://community.cisco.com/t5/network-security/fpr-3105-migrating-2-subnets-in-same-zone/m-p/5233312#M1118011 <P>FIND DIAGRAM</P> Fri, 06 Dec 2024 09:05:02 GMT https://community.cisco.com/t5/network-security/fpr-3105-migrating-2-subnets-in-same-zone/m-p/5233312#M1118011 ManadarDesai2895 2024-12-06T09:05:02Z https://community.cisco.com/t5/network-security/fpr-3105-migrating-2-subnets-in-same-zone/m-p/5233323#M1118012 <P>Then the solution I provided in my previous post is correct.&nbsp; The interfaces on the FTD can be in the same security zone but you still need to allow communication between the networks in access rules.</P> Fri, 06 Dec 2024 09:23:14 GMT https://community.cisco.com/t5/network-security/fpr-3105-migrating-2-subnets-in-same-zone/m-p/5233323#M1118012 Marius Gunnerud 2024-12-06T09:23:14Z