Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1801
Views
20
Helpful
9
Replies

Is the network over designed?

Go to solution
abdullah.abdulhafid
Level 1
Level 1

‎07-26-2021 12:52 PM

 

Dear All,

The uploaded JPG is a summary layout that reflects the network design provided by a contractor for our 6 floor new building. I feel the network is over designed. My question is do I need this number of firewalls? We did ask the LANs traffic to be segregated as they carry different traffic for different purposes?

 

LAN.JPG

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎07-26-2021 01:16 PM - edited ‎07-26-2021 01:17 PM

I agree that this is overkill with firewalls.  You would only need the following:

- a pair of firewalls in HA setup

- Etherchannel configuration between ASAs and the 3650 switches.  Configure subinterfaces on the portchannel for the various LANs

- Configure access rules restricting access between the LANs on the sub interfaces

- ***no L3 routing on the switches***. If L3 is required on the switches use VRFs

I do not know what your requirements are, but I would also suggest looking into using FTD devices and not ASAs.  I would also suggest using Firepower software instead of ASA with the threat license as a minimum.  This is because Firepower will provide IPS while the ASA does not.  It can also do almost everything the ASA can do.

If Firepower software is not an option, the FTD devices can also run ASA software.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

9 Replies 9

Go to solution
Marius Gunnerud
VIP
VIP

‎07-26-2021 01:16 PM - edited ‎07-26-2021 01:17 PM

I agree that this is overkill with firewalls.  You would only need the following:

- a pair of firewalls in HA setup

- Etherchannel configuration between ASAs and the 3650 switches.  Configure subinterfaces on the portchannel for the various LANs

- Configure access rules restricting access between the LANs on the sub interfaces

- ***no L3 routing on the switches***. If L3 is required on the switches use VRFs

I do not know what your requirements are, but I would also suggest looking into using FTD devices and not ASAs.  I would also suggest using Firepower software instead of ASA with the threat license as a minimum.  This is because Firepower will provide IPS while the ASA does not.  It can also do almost everything the ASA can do.

If Firepower software is not an option, the FTD devices can also run ASA software.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
abdullah.abdulhafid
Level 1
Level 1
In response to Marius Gunnerud

‎07-27-2021 02:36 AM - edited ‎07-27-2021 02:50 AM

Thank you Marius,

Do you suggest to add another layer by using VFRs in case we use L3 features?

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to abdullah.abdulhafid

‎07-27-2021 03:08 AM

@abdullah.abdulhafid wrote:

I do not have the authority to publish the original documents. The LANs in our network represent different security system for example; Fire and Gas system, PA/GA system and etc.

If this network is deemed as "confidential" then why take un-necessary risk?

Get a reputable system integrator for confidentiality protection.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to abdullah.abdulhafid

‎07-27-2021 03:18 AM

I suggest a combination of VRFs and a papir of firewalls in HA.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Marius Gunnerud
VIP
VIP
In response to abdullah.abdulhafid

‎07-27-2021 08:49 AM

Also, forgot to mention, whether you use VRFs pr not depends on your design. If you are not doing any routing on the L3 switch then there is no need for VRF so just trunk the VLANs to the firewall.

I also agree with Leo that with regards to who you choose to do the design and implementation. The cheapest provider on design and implementation often ends up being the most expensive in the long run.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎07-26-2021 04:00 PM

Where did the contractor get this design from because it looks like one from a PacketTracer design.  

Without knowing the criteria of the network it is hard to determine if the FW are overkills.

0 Helpful

Go to solution
abdullah.abdulhafid
Level 1
Level 1
In response to Leo Laohoo

‎07-27-2021 02:35 AM

The original documents are not allowed to be uploaded. The layout is done by myself however it describes the real design.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-27-2021 01:34 AM

It looks like homework to me. No reputable contractor anywhere in the world would propose a design with 6 out of 7 devices being past end-of-sales.

Go to solution
abdullah.abdulhafid
Level 1
Level 1
In response to Marvin Rhoads

‎07-27-2021 02:34 AM

Sorry Marvin,

 

The sketch is done by myself. I do not have the authority to publish the original documents. The LANs in our network represent different security system for example; Fire and Gas system, PA/GA system and etc.

 

I am worried about the number of firewalls and I need to reduce the cost as long as there is no security breach.

 

Abdalla

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card