for my next network segmentation, I would use VRF and route them to a firewall for filter the different networks.
4 VRF are planned :
- VRF "front"
- VRF "front management"
- VRF "back"
- VRF "back management"
In each VRF, we'll have many vlans and we want to filter them from the firewall.
In the VFR "front", we have 10 vlans. Vlan number 1 must not speak with vlan number 2 but only if it's authorized by the firewall.
Then, is it possible, with a default gateway for each VRF to the firewall, to filter each vlan in the same VRF ? Or by default, all vlans in a same VRF could "speak" together ?
Thank you for your support :)
In this topology all VLANs in the same VRF would be able to communicate, as they are the same security level/ classification in your model. If you wanted to restrict communication between them you would additional ACLs on the VLAN SVIs.
This would be stateless so perhaps not as secure as you require.
Each vlan would need it's own L3 interface which is either on the firewall or somewhere else but if you want to filter between vlans within a VRF why put them in the same VRF ?
I wanted use VRF to manage routes easily but in my case, effectively, it's not the good solution because I want to isolate each vlans by ACL.
Thank you for your support.
In which case you will want to route every VLAN on the firewall and use the core switch as a Layer2 device only.
Depending on the firewall model this will involve SVIs and a trunk link to the core switch, or multiple routed sub interfaces on a Port-channel.
Since you are routing all VLANs on the firewall, ensure that you bundle enough member links into the Po to satisfy the both the east-west and outbound traffic.
effectively, I want to route every VLAN to a main Firewall (Fortinet 3000D) to filter which vlan can talk with another.
Network 1 must be filtered by the FW to talk with Network 2.
Then you will need the following config:
! CORE ! vlan 10 vlan 20 vlan 30 ! int gi0/1 switchport mode access switchport access vlan 10 spanning-tree portfast ! int gi0/2 switchport mode access switchport access vlan 20 spanning-tree portfast ! int gi0/3 switchport mode access switchport access vlan 30 spanning-tree portfast ! ! int range gi0/9-10 channel-group 1 mode active ! int po1 switchport mode trunk switchport trunk allowed vlan 10,20,30 !
Note, that VLANs 10,20,30 are not routed on the CORE switch, just trunked via Po1 to the firewall. I'm guessing you will need to configure the LCAP on the Fortigate with routed sub-interfaces for each VLAN. I've never confgured one so that' a guess.
Why dont you enable inter-vlan routing on the core switch and segregate vlan traffic from there and then push each vlan off site traffic up to the FW, it will save resource on the FW and you would have various options on the switch to perfrom this segregation.