Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
6
Helpful
1
Replies

Data Center FW - Design

Adnan Fakruddin
Level 1
Level 1

‎02-02-2014 10:38 AM - edited ‎03-11-2019 08:39 PM

Hello All,

I'm looking to design an internal/Data Center Firewall (ASA 5585X)for servers. All servers are connected to the NEXUS 5K environment and currently 5K uplinks going into the 6500 core. My requirement is basically to ensure all servers are accessed only after the traffic passes through the Data Center FW. Also another requirment is for end users who're needed to be isolated on departmental basis (i.e. any user from any department should only be able to connect with servers and no other user from external department).

My questions are as follows:

1. What would be a better option:

a. Placing the DC FW between the Core and 5K

b. Connecting the FW to the Core only, without disturbing the uplinks from 5K to the core & then switching or routing to ensure all traffic goes from core->FW->core->5K

2. In order to segregate users per department (all dept. access switches are terminating on the core):

a. Should this be done by keeping the SVI for those VLANs on the Core Switch; or

b. Is it OK to keep the SVI for those dept.s on the DC FW

The above options may not be the best, and I certainly welcome your thoughts on other alternatives.

Thank you.

Regards,

Adnan

Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎02-02-2014 12:30 PM 

1. What would be a better option:
a. Placing the DC FW between the Core and 5K
b.  Connecting the FW to the Core only, without disturbing the uplinks from  5K to the core & then switching or routing to ensure all traffic  goes from core->FW->core->5K

Connecting the FW to the core is probably a better way to go.  This makes it easier to change the design at a later stage if you are required to do so.  Placing it inline between the 6500 and N5K can make things a little more complicated in the future.

2. In order to segregate users per department (all dept. access switches are terminating on the core):
a. Should this be done by keeping the SVI for those VLANs on the Core Switch; or
b. Is it OK to keep the SVI for those dept.s on the DC FW

You can do this either using VLANs only or use VRFs and associate the SVIs with a VRF.  Again this depends on your requirements and the size of your network.  But in any case you will need to deal with VRFs as the Nexus architecture is built around the use of VRFs.

The firewall would not have SVIs, they have subinterfaces which are associated with VLANs.  So it will be more correct to label the ASA as the default gateway or next hop for specific routes.  But it is ok to use the ASA as a default gateway, absolutely nothing wrong with doing so.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card