02-06-2014 05:35 AM - edited 03-11-2019 08:41 PM
Hello,
I'm deploying a ASA as DATA CENTER FW with main goal of ensuring that:
1. All end-user traffic to servers is passed through the FW/IPS.
2. All user-user traffic should pass through FW/IPS (there is also a requirement to block all inter-dept. traffic)
Currently I'm setup with a 6500 core where all users (access layer switches) are terminating (collapsed core setup) and all servers terminate at Nexus 5K which has uplinks to 6500. As of now I've SVIs for all VLANs on the core.
My question is with the ASA, would it be better to place all SVIs on the ASA as default gateway "or" have something like VRF to keep SVIs on core and have them passed to FW for further processing?
Thanks
Regards
Adnan
02-06-2014 05:55 AM
2. All user-user traffic should pass through FW/IPS (there is also a requirement to block all inter-dept. traffic)
When you say all user to user traffic should pass through the FW, do you also mean users that are located within the same subnet?
Whether to use VRFs or to set the ASA as the default gateway depends on requirements. If some inter subnet traffic needs to communicate with eachother without having to pass through the firewall then VRF is the way to go. If all traffic regardless of subnet should pass through the ASA then perhaps setting the ASA to the default gateway is what you would like to do.
But then you need to also consider the future. Is there a possibility that you will need to allow intersubnet or VLAN traffic to communicate directly with eachother without going through the firewall, then it might be best to setup the network using VRFs now, while still sending all traffic through the ASA and then in the future edit the routing to allow for traffic leaking between subnets.
--
Please remember to rate and select a correct answer
02-06-2014 06:43 AM
Thank you Marius.
No, users on same subnet (department) would not have to pass through the FW.
What I'm looking is all traffic from any subnets should pass through FW/IPS before communicating with devices in other subnets (whether it is server-server or user-server).
I've a requirment that users on one subnet should not communicate with users on other subnets at all. No user VLAN should pass traffic to another user VLAN, all user VLANs should only be able to communicate with SERVER VLANs.
One more questions I've is would it better to connect the ASA to the L3 core (if go ahead with VRFs) or L2 Server Aggregation layer (if I go ahead with a L2 FW)?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide