07-11-2022 05:53 AM
Hi,
We have a requirement of providing a kind of shared service to one of the entity(having around 100-120 users) sitting in the same building.
Now since we have to provide them all the infrastructure services( Data,voice, wireless etc). I need to know is there any guideline to go about this requirement.
Our environment has around 250 users and infrstructre consists of the following: All our workload is in Azure private cloud except a small AD/DC replicated server in on-premise.
FTD 2110 as a perimeter firewall onto which 1 ADSL, 1 MPLS(400Mbps) and 1 Azure in HA is terminated.
FGT 201F as a DC firewall for the AD/DC on premise.
9800 WLCs in HA .
Since we have 2 approached to address this requirement either
1) utilize the same above ISP links and just segregate this new entity with different subnets and control via ACLs on firewalls, and increase the exisiting BW from 400 Mbps to something higher to support, since MS TEAMS consumes alot of BW.
2) Have a separate ISP links and separate terminate it on the same FTD 2110( if it supports virtual context) and utilize a altogether separate ip schema.
Need direction or suggestion how effectively we can achieve this requirement.
07-11-2022 06:00 AM
1) utilize the same above ISP links and just segregate this new entity with different subnets and control via ACLs on firewalls, and increase the exisiting BW from 400 Mbps to something higher to support, since MS TEAMS consumes alot of BW.
- If they are all shared services and you are managing the devices, then you can do this way to manage ACL and also bandwidth. (i take this include end switch)
2) Have a separate ISP links and separate terminate it on the same FTD 2110( if it supports virtual context) and utilize a altogether separate ip schema.
- This is also possible with multi instance, since this required some design changes in terms of network change, you may need to allocate resources to new instance.
Policy based routing works with different ISP like to route the traffic.
example : subnet A - ISP A, subnet B - ISB B (if one of the them fail you can fail over to other ISP - required some tweaking in the config)
exaxmple :
https://integratingit.wordpress.com/2020/08/14/ftd-dual-isp-failover/
07-11-2022 06:03 AM
@shaikh.zaid22 unfortunately multi-instance is not supported on the 2100 hardware. Depending on what version of FTD (6.7 or newer) you are running you can use VRF to segment the traffic through the FTD.
07-11-2022 06:22 AM
Thank you Balaji and Rob for the responses.
@balaji, Yes it includes the access layer switches as well. I plan to assign them distinct VLANs which does not conflicts with our entity and the create separate security-zones to have a separate routing and ACLs. However, i believe this create a hassle in managing the ACLs and other configurations since there will be single instance/pages to configure existing and new entity.
2) As you said, need to assign resource, this we need to manually assign it or the FTDs will automatically do it by themselves.
How about Remote VPNs and IPsec can we create any number of VPNs ?
@rob, FTD and FMC is running version 7.0.1, Can you share some documentation with regards to VRF config.
Also please let me know if there can be a better solution possible to achieve this.\
Thanks
07-11-2022 06:32 AM
2) As you said, need to assign resource, this we need to manually assign it or the FTDs will automatically do it by themselves.
Applogies- @rob correct, these model do not support multi instances, only support context if you using ASA (but you using FTD here)
i do not see any VPN issue on these models - as long as you have any connect Licese required as you need.
Good suggestion made to using VRF - (below guide help you)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide