Let me start off by saying I'm kind off new in the Cisco world, so please be kind
I have set up a scenario for a small business and have some questions about how to manage the access between the VLANs.
I would also appriciate hint and tips if my scenario is "wrong", or if there is a better / another way to do it.
See the attached picture for the topology / info.
My question is:
My switches is set up with x numbers of VLANs and a routed port (no switchport) to the ASA for internet connectivity.
How is the best (or only??) way to manage the access beween the VLANs? Is it ACL's on the switch?
And by "managing access" I mean VLAN 50 (public wifi) only have access to the internet, only management servers have access to management VLAN, Client VLAN only have RDP access to server VLAN and so on...
Is there any way to do this in the ASA (or add another (gigabit) router to the topology)) or it the only way to have lots of ACL's on the switch itself?
I have thought about "router on a stick", but then I imagine there will be a bouttleneck between the switch and the ASA?
(Equipment is 2 x 3650G, ASA5505, AP1252 - see attached file)
Any help is appriciated!
If you want to block access between your internal vlans, then the place to do it in your design is on sw-1 and sw-2 by using access list and applying them to SVIs. Be careful when you are doing that, because if you only allow one to talk to another and later on you need to provide access for a second vlan, you need to modify your access-list. And doing this often becomes an administrative burden. So, overall, think about if it is necessary to block communication between vlans.
If you want to allow only one vlan to access the outside, than you can configure that on the firewall, by blocking all vlans but 50.
You can apply ACL directly on the ports using Port base ACL.
As you have designed DMZ so put all the servers in VLAN 10 and move that vlan behind to ASA so every one want to access the server should pass through ASA and there you can control the access to servers.
As far as wireless clients are concerned, if your wireless clients are big in number, introduce a proxy server in DMZ and control access to internet via proxy server.
If your management vlan is for management of networking componets then it would be better to apply acl on line vty or console.
why are you using EIGRP 10 in the diagram?
Thanks for your answers.
I think I will look more into ACL's and setting them in the switches.
I would prefer to manage accesslist in a GUI, but that seems difficult...
The EIGRP are for routing between the L3switch and router...a bit overkill maybe..