02-17-2013 03:29 AM - edited 03-10-2019 12:00 AM
Hi,
I would like to ask here for your opinion about a security solution that we intent to implement in our environment.
In our network we have a core office and 40 remote branches.
Each branch has the following network configuration (simplified here for clarity purpose):
http://oi50.tinypic.com/2im00uh.jpg
We would like to create a security solution to avoid each VLAN accessing other VLANs. In some situations we need the communication between VLANs but this communication must be controlled allowing only specific ports and protocols.
We thought about 2 ways to solve this problem:
1 - PVLAN
2 - ZFW
ZFW: We would configure each subinterface of the router in a separate Zone to restrict traffic flow between subinterfaces.
Wich one would you recommend? Is there a better solution for it?
ZFW seems to fit another scenery were we have OUTSIDE, INSIDE and DMZ. I am not sure if ZFW would be the best solution for intra-network control.
Thank you.
Leo.
02-17-2013 06:53 AM
Hi,
What devices do the branch and core offices have at the moment? Are you planning on implementing the same model/same device for each of the branch office?
Are you going to configure a setup where each branch is also connected to the core office via VPN?
On average, how many devices are there in the branch offices?
Personally I would find the easiest choice would be to use a Cisco firewall if your main concern is to control traffic between the different Vlans of each branch office and also provide VPN connectivity. Though I have to admit my opinion is biased because I mainly use Cisco ASA firewalls in setups and we dont use Routers to handle firewall functionality even if they had the possibility.
I have always found the Cisco router configuration format a bit clunky, but again this is something that is probably due to the fact that I only use Cisco ASA (also PIX and FWSM) firewalls in my work. I do have plans to get some expirience with the Cisco router firewall side but just seems there is not enough time
If you were to go with the Cisco ASA then your firewall model would probably be ASA5505 (depending on throughput requirements).
It would also seem to me that if you would go with some Cisco router series you would have to pay a lot more than for example an ASA5505 with Security Plus License. Naturally with the Cisco ASA you will need a separate device to provide a xDSL connection. Unless you are provided that with the connection or the connection is provided to you Ethernet connectivity.
Heres a link to some information about the ASA5505 (5510 also)
Heres a link to datasheet of all of the ASA models
ASA 5500 Series
ASA 5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
Please let me know if you need some more specific information and I'll try to answer if I can.
Hopefully the above information has been helpful
EDIT: I understand that this might not help you at all if you're not looking to change any devices at the remote offices but rather using some existing feature on those networks.
- Jouni
02-18-2013 05:17 AM
Thanks for answering.
I was searching for someone who had already this kind experience configuring different VLANs subinterfaces into separeted zones.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide