cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

875
Views
5
Helpful
6
Replies
Highlighted
Beginner

Deploying FTD Data Center Firewall

Hello,

We are working on a solution over deployment of Cisco FTD,  F5 Load balancers and Nexus 9K Switches ( DC Core) with following interest:

 

- To control and inspect the traffic from between users and servers.
- To isolate the  public facing web servers sourcing from internet. Example DMZ

- The purpose of adding FTD is to integrate with AMP Cloud. We will be deploying AMP for endpoint and servers

 

Current deployment

 

                                                    PAN-FW1      PAN-FW2

                                                        |                  |

                                                        |                  |

                                                        |                  | 

Servers ----  TOR Switches --- 6807 ( Core Network) --- Access Layer ( users)

 

At the moment we have two internet boundry firewall handling ingress/egress NAT, VPN connections

So I am looking for advise validated design and suggestions where to install the new firewalls pairs, F5 and DC Core in the path as mentioned above.

 

I would appreciate any feedback and suggestions



I put together a fairly current

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

For internal users to DC Server that design works.

 

If you looking External Access to Internal you need to create a DMZ here. with diferent Context in FW.

 

So inernal users use 1 Context, External access used in Different Context.

 

Most of the time its hosting kind setup, Traffic North to south (this is your DMZ Setup)

 

East-West Traffic should have common transit point with Dynamic routes shoudl consider, so the traffic will not go to north and come back again, waste of bandwidth.

 

Look at some CVD guides of DC Design should help, again this all depends on how you build and expertise to fix things, Dynamic routing vs Static routing. Every design has pros and cons.

 

BB
*** Rate All Helpful Responses ***

View solution in original post

6 REPLIES 6
Highlighted
VIP Mentor

You can connect Nexus switches to your Core Switch

 

Core -- Nexus---FW --LB--Servers  high level.

 

BB
*** Rate All Helpful Responses ***
Highlighted

Thanks Balaji. I have couple of concerns here.

- In such deployment, Core would have default routes pointing to Nexus then FW will control the access to servers.

What about the internet traffic from users and servers ?

- Is this design for DMZ servers only ? or Internal Servers as well ?

Core -- Nexus---FW --LB--Servers  

- Traffic originating from internet to Web servers will hit Internet Boundtry firewall and how it would traverse to DMZ servers

- I just need to know required traffic flow (direction, south-north or east-west), pattern.

 

 

 

Highlighted

For internal users to DC Server that design works.

 

If you looking External Access to Internal you need to create a DMZ here. with diferent Context in FW.

 

So inernal users use 1 Context, External access used in Different Context.

 

Most of the time its hosting kind setup, Traffic North to south (this is your DMZ Setup)

 

East-West Traffic should have common transit point with Dynamic routes shoudl consider, so the traffic will not go to north and come back again, waste of bandwidth.

 

Look at some CVD guides of DC Design should help, again this all depends on how you build and expertise to fix things, Dynamic routing vs Static routing. Every design has pros and cons.

 

BB
*** Rate All Helpful Responses ***

View solution in original post

Highlighted

Thanks

If you can provide the useful links, that would be very grateful.

 

Highlighted

here is some design guides for reference :

 

https://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-data-center-networking/index.html

 

If you are not sure, i would suggest to contact local SE or cisco partner help you, so your investment will be protect with small profession costing.,

 

BB
*** Rate All Helpful Responses ***
Highlighted

Thank you Balaji. Great help from best professionals

Content for Community-Ad