Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2896
Views
0
Helpful
6
Replies

Please advise on the appropriate firewall and interface mode for this unusual network setup

damode
Level 1
Level 1

‎02-02-2021 12:30 AM

We are setting up ISA 3000 firewalls as FTD in HA pair. We have a unusual challenge wherein, switches on both upstream and downstream have same vlans and we need to use firewall to segment traffic between certain vlans. E.g., Upstream has VLANS 1,2,3,11,13 and downstream has VLAN 1,2,3 as well. 

 

FIrewall requirements state, VLANs 1,2,3 should not be able access 11 and 13 and vice versa. Only exception is, vlan 13 should be able to access vlan 2. no additional firewall features required. Its for an isolated network.

We intend to use 1 physical interface as Port channel with sub-interfaces for 1,2,3,11 and 13 for upstream and 1 interface as PO with sub-interfaces for vlan 1,2,3 each. But open to suggestions if there is better way.

 

In this case, what would be the best option to design the firewall and interface modes ?
Going through the docs, it seems bridged virtual interface sounds feasible, but not sure if routed mode is right or transparent. If transparent mode is chosen, then I would only need to apply BVI IP, but in that case, how I can apply access control policies if interfaces are not assigned to zones ? hence, not sure about transparent mode.

Please advise!
Any guidance on this would be highly appreciated.

0 Helpful
6 Replies 6

Oliver Kaiser
Level 7
Level 7

‎02-02-2021 02:18 PM

Is there an existing system in this setup that is responsible for inter-vlan traffic between those segments? From what you stated I understood that you basically have those two switching domains with the FTDs inbetween to apply security policies between segments, so I would assume routing mode is a feasible choice and is probably the cleanest and simplest design.

 

In case the firewall does not replace an existing router and should only enfore policy without taking care of routing you would go transparent mode, BVIs are not a feasible choice imo since you do not want to switch on your firewall, but want to terminate multiple networks, while switching is done on the down/upstream switches

0 Helpful

damode
Level 1
Level 1
In response to Oliver Kaiser

‎02-02-2021 04:58 PM - edited ‎02-02-2021 05:13 PM

Hi Oliver, thanks for your reply. Where there are just vlans 1,2,3 is the old network and where there are vlans 1,2,3,11,12 is the new switching domain we are adding with FTDs in between.

 

There is no router in between these two switching domains. We are adding the firewalls.

If we were to go with routed mode and would have three following interfaces

  1. PO1 with subinterfaces for vlans 1,2,3,11,13
  2. PO2 with subinterfaces 1,2, 3
  3. 1 interface for HA link.

Then I will add vlan subinterfaces 1,2,3 into INSIDE zone and 11, 12 into OUTSIDE zone. But is it possible to setup two interfaces on FTD with same network ? Asking this for vlan 1,2,3 

 

Do you think the above setup will work ?

 

 

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to damode

‎02-03-2021 12:28 AM

The setup will work if VLAN 1,2,3 on your INSIDE and OUTSIDE domain are in fact not the same L2 networks.Having the same subinterface IDs on both sides will be no problem, since the FTD will terminate the L2 domain, and route between the different networks.

 

If VLAN 1,2,3 on OUTSIDE and VLAN 1,2,3 on INSIDE are different networks (e.g. OUTSIDE VLAN1 = 10.0.0.0/24, INSIDE VLAN1 = 10.0.1.0/24) your setup will work, and I'd recommend it since it's simple and straight forward.

 

 

0 Helpful

damode
Level 1
Level 1
In response to Oliver Kaiser

‎02-03-2021 02:48 AM

The main problem is VLANs on both inside and outside zones are same L2 networks. Inside has vlans 1,2,3 and outside has 1,2,3,11,12. What can be done in this case ?

 

As such, only main requirement is vlans 1,2,3 should be segmented from vlans 11 and 12 and no traffic should pass between them. We are thinking to put FTDs as transparent firewall and just not put any route on between 11,12 to vlans 1,2 and 3.

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to damode

‎02-03-2021 06:09 AM

I just re-read your initial post and I think you can accomplish what you are trying to do with routed mode. Since BVIs in routed mode have the limitation of not supporting PortChannels I would recommend creating three redundant interfaces (basically active/standby, so you do not lose link redundancy) and use a BVI to aggregate traffic from both Upstream & Downstream Switch Uplinks (VLAN1,2,3) to FTD and use another routed link for VLAN 11 and 13.

 

This way you still have connectivity between VLAN1,2,3 downstream & upstream, while still being able to route all the different subnets on your firewall and enforce policy between 1,2,3,11 and 13 VLAN

 

Hope that helps

0 Helpful

damode
Level 1
Level 1
In response to Oliver Kaiser

‎02-04-2021 02:29 PM

We would have to split the interfaces into sub-interfaces to accomodate all the vlans. So if we create redundant sub-interfaces on both FWs like below

  1. 1/1 - Downstream link
    1. vlan 1
    2. vlan 2
    3. vlan 3
  2. 1/2 - Upstream link
    1. vlan 1
    2. vlan 2
    3. vlan 3
    4. vlan 11
    5. vlan 12
  3. 1/3 - HA link

And then add sub-interfaces 1,2,3 from both sides to BVI 1 and sub-interfaces from 11,12 (which exist only upstream) to BVI 2.

 

Is this what you mean ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card