01-11-2013 08:27 AM - edited 03-11-2019 05:45 PM
Hi,
Currently i am in the process of designing a data center, in our current setup we have the default gateways of all vlans configured on a ASA 5520.
In the new design we are planning to bring down the default gateways from the ASA to the core switches (4500x). But there is a requirement of firewalling intervlan traffic. we also have two firewalls.
how can we design to use one firewall to restrict traffic between vlans and also configure the dmz on it, and another external firewall to handle NAT, site to site and remote access VPN. Is connecting two firewalls back to back a good design, Please suggest.
Thanks
Solved! Go to Solution.
01-13-2013 04:51 AM
Hi,
From what I can understand I dont think there are many options to go for if you want to keep a firewall controlling the traffic through all of the Vlans. Naturally having the gateways being at the firewall would be the ideal situation when it comes to controlling the traffic. Only using the firewall to route traffic out from those Vlans would naturally mean you couldnt control any traffic between them unless you start configuring extended ACLs on the core device itself. But this would naturally become troublesome to configure, troubleshoot and manage.
I would probably look into the possibility of getting a brand new firewall that can handle being the gateway for Vlans and if you currently have 2x ASA5520 you could maybe look into (as you have) using them for both ACL/NAT and VPN purposes. Each firewall would then have a pretty simple role in the network and therefore they would be easier to manage.
Heres some good brief documents on the Cisco firewall models
They provide information on the throughput performance, Vlan support, etc
ASA 5500 Series
ASA 5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
- Jouni
01-11-2013 09:46 AM
Hi,
Whats behind the decision to move the GWs from the ASAs to the Core switches?
- Jouni
01-11-2013 10:23 AM
The number of vlans have increased and also considering performance, we are planning to move the GWs from the ASAs to the core switches.
01-11-2013 11:32 AM
Hi,
Do you have any specific numbers related to the numbers of current/future Vlan IDs and the performance/throughput required by the setup?
Have you been expiriencing problems already with the current setup which lead to this?
I know you are planning on using the current firewalls but I just want to get some idea of your current setup.
- Jouni
01-11-2013 02:19 PM
Hi,
Currently we have 35 vlans but this may increase and keeping future expansion in consideration, we want to move the default gateways to the Core Switches. This is the current design we are planning.
Internet------>EdgeRouters------->ExtFirewall(NAT,VPN)------->DMZ-Switches(Two stacked switches for redundancy, DMZ servers connect here)-------->InternalFirewall( Intervlan Restriction)-------->CoreSwitch-------->Aggregators-------->Topof the rack switch.
Any suggestions on the above design or best practice considerations will be helpful.
01-12-2013 10:45 PM
Nick,
Are you looking for another vendor for this solution? I have seen Juniper firewall (SRX5800) have good limit to configure vlans on it.
since this is Cisco forum, lets stick to some basic rules
01-13-2013 04:51 AM
Hi,
From what I can understand I dont think there are many options to go for if you want to keep a firewall controlling the traffic through all of the Vlans. Naturally having the gateways being at the firewall would be the ideal situation when it comes to controlling the traffic. Only using the firewall to route traffic out from those Vlans would naturally mean you couldnt control any traffic between them unless you start configuring extended ACLs on the core device itself. But this would naturally become troublesome to configure, troubleshoot and manage.
I would probably look into the possibility of getting a brand new firewall that can handle being the gateway for Vlans and if you currently have 2x ASA5520 you could maybe look into (as you have) using them for both ACL/NAT and VPN purposes. Each firewall would then have a pretty simple role in the network and therefore they would be easier to manage.
Heres some good brief documents on the Cisco firewall models
They provide information on the throughput performance, Vlan support, etc
ASA 5500 Series
ASA 5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
- Jouni
01-13-2013 06:11 AM
Agree with Jouni. There is no need to move the GWs from the ASAs to the Swtich.
Check this datasheet link:
Pls. look for "Virtual Interfaces (VLANs)" for each of the models. Our ASA5510 alone can support can support 100 vlans with security plus license.
Pls. join me on my upcoming webcast on Tue Jan 15th and ask away your questions.
-Kureli
https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts
Upcoming Live Webcast in English: January 15, 2013
Troubleshooting ASA and Firewall Service Modules
Register today for this Cisco Support Community live webcast.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: