cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
746
Views
0
Helpful
7
Replies

Firewall Design Question

Nick wfd
Level 1
Level 1

Hi,

Currently i am in the process of designing a data center, in our current setup we have the default gateways of all vlans configured on a ASA 5520.

In the new design we are planning to bring down the default gateways from the ASA to the core switches (4500x). But there is a requirement of firewalling intervlan traffic. we also have two firewalls.

how can we design to use one firewall to restrict traffic between vlans and also configure the dmz on it, and another external firewall to handle NAT, site to site and remote access VPN. Is connecting two firewalls back to back  a good design, Please suggest.

Thanks

1 Accepted Solution

Accepted Solutions

Hi,

From what I can understand I dont think there are many options to go for if you want to keep a firewall controlling the traffic through all of the Vlans. Naturally having the gateways being at the firewall would be the ideal situation when it comes to controlling the traffic. Only using the firewall to route traffic out from those Vlans would naturally mean you couldnt control any traffic between them unless you start configuring extended ACLs on the core device itself. But this would naturally become troublesome to configure, troubleshoot and manage.

I would probably look into the possibility of getting a brand new firewall that can handle being the gateway for Vlans and if you currently have 2x ASA5520 you could maybe look into (as you have) using them for both ACL/NAT and VPN purposes. Each firewall would then have a pretty simple role in the network and therefore they would be easier to manage.

Heres some good brief documents on the Cisco firewall models

They provide information on the throughput performance, Vlan support, etc

ASA 5500 Series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

ASA 5500-X Series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf

- Jouni

View solution in original post

7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Whats behind the decision to move the GWs from the ASAs to the Core switches?

- Jouni

The number of vlans have increased and also considering performance, we are planning to move the GWs from the ASAs to the core switches.

Hi,

Do you have any specific numbers related to the numbers of current/future Vlan IDs and the performance/throughput required by the setup?

Have you been expiriencing problems already with the current setup which lead to this?

I know you are planning on using the current firewalls but I just want to get some idea of your current setup.

- Jouni

Hi,

Currently we have 35 vlans but this may increase and keeping future expansion in consideration, we want to move the default gateways to the Core Switches. This is the current design we are planning.

Internet------>EdgeRouters------->ExtFirewall(NAT,VPN)------->DMZ-Switches(Two stacked switches for redundancy, DMZ servers connect here)-------->InternalFirewall( Intervlan Restriction)-------->CoreSwitch-------->Aggregators-------->Topof the rack switch.

Any suggestions on the above design or best practice considerations will be helpful.

Nick,

Are you looking for another vendor for this solution? I have seen Juniper firewall (SRX5800) have good limit to configure vlans on it.

since this is Cisco forum, lets stick to some basic rules

Hi,

From what I can understand I dont think there are many options to go for if you want to keep a firewall controlling the traffic through all of the Vlans. Naturally having the gateways being at the firewall would be the ideal situation when it comes to controlling the traffic. Only using the firewall to route traffic out from those Vlans would naturally mean you couldnt control any traffic between them unless you start configuring extended ACLs on the core device itself. But this would naturally become troublesome to configure, troubleshoot and manage.

I would probably look into the possibility of getting a brand new firewall that can handle being the gateway for Vlans and if you currently have 2x ASA5520 you could maybe look into (as you have) using them for both ACL/NAT and VPN purposes. Each firewall would then have a pretty simple role in the network and therefore they would be easier to manage.

Heres some good brief documents on the Cisco firewall models

They provide information on the throughput performance, Vlan support, etc

ASA 5500 Series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

ASA 5500-X Series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf

- Jouni

Agree with Jouni. There is no need to move the GWs from the ASAs to the Swtich. 

Check this datasheet link:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

Pls. look for "Virtual Interfaces (VLANs)" for each of the models. Our ASA5510 alone can support can support 100 vlans with security plus license.

Pls. join me on my upcoming webcast on Tue Jan 15th and ask away your questions.

-Kureli

https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts

Upcoming Live Webcast in English: January 15, 2013
Troubleshooting ASA and Firewall Service Modules

Register today for this Cisco Support Community live webcast.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: