Solved: Network design question

storm1kk · ‎03-18-2019

Hello everybody,

I got an opportunity to rebuild office network architecture and I have a question here.

I have around 15 different segments in my network, so there should be 15 different gateways. Main question is where is the best place to set gateways? On core switch or on firewall? Core is C3850, firewall is ASA 5512. Amount of users ~500.

Pros and cons of gateways on core:

1. Complexity of core configuration (VRF); -

2. Independence on ASA performance, users get wire rate speed access to internal resources; +

Pros and cons of gateways on ASA:

1. Easy to configure and maintenance; +

2. Dependence on ASA performance; -

Could you give me advice about best practises about it?

Thanks in advance!

Seb Rupik · ‎03-18-2019

As you point out none of the VLANs have the same security access and implementing these ACLs will be much easier to implement on the ASA as it will use connection state. So to answer your original question you should place all the routing onto the ASA. Just ensure you have sufficient bandwidth available (use a port-channel) between the core switch and firewall.

cheers,

Seb.

View solution in original post

balaji.bandi · ‎03-18-2019

Can you post any topology you have in exiting or proposing, is this 15 new segment network, part of your network ? or extenal networks ?

what kind of resource they looking to use, what is the goal or use case here ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Seb Rupik · ‎03-18-2019

Hi there,

Use the ASA to provided segregation between security domains. If two VLANs are in the same security domain then it makes no sense to route them on the firewall.

Group you VLANs by security domain, place their gateways in the same VRF, and then provide each VRF with a layer3 link to the firewall which will secure them from each other.

cheers,

Seb.

storm1kk · ‎03-18-2019

One vlan - one security domain - all this is internal network.
For example:
vlan 5 - users
vlan 6 - user admins
vlan 7 - security servers
vlan 8 - security admins

There are four different security domains:
vlan 5 cannot have an access to vlans 6,7,8
vlan 6 can have an access to vlan 5 but cannot to vlans 7,8
vlan 7 can have an access to all

vlan 8 can have an access to vlan 7

etc, so I haven't same security domains.

My thought is create global ACL on ASA for traffic flows.

Seb Rupik · ‎03-18-2019

As you point out none of the VLANs have the same security access and implementing these ACLs will be much easier to implement on the ASA as it will use connection state. So to answer your original question you should place all the routing onto the ASA. Just ensure you have sufficient bandwidth available (use a port-channel) between the core switch and firewall.

cheers,

Seb.

Steven Williams · ‎03-19-2019

I prefer this design. Its not often you will have ONE network per VRF. I have multiple networks in the same VRF and they switch between each other. Then each VRF has an egress /29 to the northbound firewall if it needs to route outside its own VRF. Default route for each VRF is always the next hope firewall.

paul driver · ‎03-19-2019

Hello

humm i would tend to say inter-vlan routing on the 3850 that’s what it designed to do and it easier to apply resiliency (stackable) ip services such as NAT/VRF - L3 acl-L2 security -qos, mpp/copp/r -dhcp -multicast - dai etc...

The asa can be left to do what it’s designed to do and inspect /filter/control traffic

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul