Adding a layer2 firewall between VLANS with same subnet.

md09 · ‎02-16-2017

Hi,

I'm not a network engineer myself, but will try and communicate this best I can. Please bear with me.

I have servers on a subnet that I need to segment for security reasons. Currently they are all in a single VLAN. I'd like to complete this segmentation without readdressing. I would like to have a firewall between these segments. Everything is patched into a 4500 switch running in layer 3 mode.

My idea;

Create new VLANS for the servers to be segmented off, but share the subnet.
Do not allow these VLANs to access each other within the 4500
Present a port on the 4500 for each VLAN and connect this to the firewall.
Run the firewall in layer2/transparent/bridging mode to connect the VLANS.
Reconfigure the ports the servers are patched to reflect the VLAN I wish them to be in.
Add rules on firewall the block unwanted traffic between the VLANS.

I hope that makes sense?

Is what I am proposing possible?

Any advice or suggestions welcomed.

Many thanks

Mark.

FrOg Lee · ‎02-16-2017

Each server in own vlan (with /30 mask as a example)

and depending on the version of the ASA software to configure the access rights between them (through access lists or NAT)

md09 · ‎02-16-2017

Thanks for reply FrOg.

So essentially you are saying what I suggest will work? I don't want to segment individual servers, but groups of them.

MD

Claudiu Cismaru · ‎02-16-2017

FTDs in ASA with Inline Sets. Acts like a bump on the wire, without having to change anything in your current addressing, only cabling.

Or you could do with ASA OS and Firepower in transparent mode. It's not as "invisible" as the FTD with inline mode, but it could do the trick.

Or you can use other products, like 8000 series, 7000 series, which you can be used inline and can do more hardware level things.