03-18-2019 01:29 AM
Hello everybody,
I got an opportunity to rebuild office network architecture and I have a question here.
I have around 15 different segments in my network, so there should be 15 different gateways. Main question is where is the best place to set gateways? On core switch or on firewall? Core is C3850, firewall is ASA 5512. Amount of users ~500.
Pros and cons of gateways on core:
1. Complexity of core configuration (VRF); -
2. Independence on ASA performance, users get wire rate speed access to internal resources; +
Pros and cons of gateways on ASA:
1. Easy to configure and maintenance; +
2. Dependence on ASA performance; -
Could you give me advice about best practises about it?
Thanks in advance!
Solved! Go to Solution.
03-18-2019 04:39 AM
As you point out none of the VLANs have the same security access and implementing these ACLs will be much easier to implement on the ASA as it will use connection state. So to answer your original question you should place all the routing onto the ASA. Just ensure you have sufficient bandwidth available (use a port-channel) between the core switch and firewall.
cheers,
Seb.
03-18-2019 01:39 AM
Can you post any topology you have in exiting or proposing, is this 15 new segment network, part of your network ? or extenal networks ?
what kind of resource they looking to use, what is the goal or use case here ?
03-18-2019 01:46 AM
Hi there,
Use the ASA to provided segregation between security domains. If two VLANs are in the same security domain then it makes no sense to route them on the firewall.
Group you VLANs by security domain, place their gateways in the same VRF, and then provide each VRF with a layer3 link to the firewall which will secure them from each other.
cheers,
Seb.
03-18-2019 03:52 AM - edited 03-18-2019 03:53 AM
One vlan - one security domain - all this is internal network.
For example:
vlan 5 - users
vlan 6 - user admins
vlan 7 - security servers
vlan 8 - security admins
There are four different security domains:
vlan 5 cannot have an access to vlans 6,7,8
vlan 6 can have an access to vlan 5 but cannot to vlans 7,8
vlan 7 can have an access to all
vlan 8 can have an access to vlan 7
etc, so I haven't same security domains.
My thought is create global ACL on ASA for traffic flows.
03-18-2019 04:39 AM
As you point out none of the VLANs have the same security access and implementing these ACLs will be much easier to implement on the ASA as it will use connection state. So to answer your original question you should place all the routing onto the ASA. Just ensure you have sufficient bandwidth available (use a port-channel) between the core switch and firewall.
cheers,
Seb.
03-19-2019 11:46 AM
03-19-2019 01:15 PM - edited 03-19-2019 01:24 PM
Hello
humm i would tend to say inter-vlan routing on the 3850 that’s what it designed to do and it easier to apply resiliency (stackable) ip services such as NAT/VRF - L3 acl-L2 security -qos, mpp/copp/r -dhcp -multicast - dai etc...
The asa can be left to do what it’s designed to do and inspect /filter/control traffic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide