Can anyoneplease explain how do we configure our L3 switch and firewall in the following scenario.
1- We want to configure our vlans on L3 switch and and would also want to use firewall to restrict incoming traffic to our network as we have alot of virtual machines
2- Second concern is to not allow any intervlan routing through the l3 switch and if needed i guess we can achieve this using policy based routing?
3- In which mode the firewall will be operating? We dont want to use transparent mode because it doesn't allow IPsec vpn's. Any suggestions?
4- We have our IP range which will be routing from our network provider to one of our internal network device 'which in this case will be either 'L3 Switch or firewall' ? Which one will be better to use in this case? And if we route our IP range to firewall then how the routing will work between the vlans on L3 switch and the firewall?
5- We have 5525 ASA which have 1GB throughput and can handle upto half a million session established, i heard that the throughput won't help if a hacker tries synflood attack to create hundreds of thousands of connections and take the network down. Is this right?
Network Provider (ISP)
| | L2 Switch (Being used for expansion) | |
Firewall (ASA 5525) | |
L3 Switch (3750) | |
Virtual Machines (Hosts)
My apologies in advance if i have asked a stupid question above as i dont have enough experience. :)
How many vlans are you going to be hosting on those switches? If you wish to firewall off intervlan communication, then what you can do is take the 3750 and use it as a layer 2 device and put the gateways onto the ASA firewalls. You can create sub-interfaces under one physical interface (a sub-interface per vlan) or you can split this over more (I believe the 5525s come with 4x 1GE copper interfaces???). In this situation the firewall would have to be in routed mode.
The concern is valid. Since this is public facing, any attacker externally, or a compromised machine internally in your network could generate a large connection attack and eat up the state table of the ASA. This concern applies for any appliance, or server.
Inviting all network professionals in operations! We'd like to understand what would be valuable for you in a mobile application. Your response will help Cisco improve a product feature that could benefit you. Thanks!
Click here to take the sur...
Cisco’s software-defined wide area network (SD-WAN) solution allows user to quickly and seamlessly establish an overlay fabric to connect an enterprise’s data centers, branch and campus locations, as well as colocation facilities in order to imp...
1. Log into CLI of DNAC:
ssh maglev@< DNAC appliance IP> -p 2222
2. Run this curl command to get token to get member id:
curl -X POST -u admin:<admin user password> -H -V https://<CLUSTER-IP>/api/system/v1/identitymgmt/token
Enterprise Switching Business Unit is glad to announce Beta release 16.12.2 for all Catalyst 9200/9300/9400/9500/9600 and Catalyst 3650/3850 Platforms. This release is made available to allow users to test, evaluate and share fee...
Purpose of the document
This document describes the general recommendations or best practices when designing and deploying the Cisco SD-Access technology. The document assumes that the reader has a general overview of Cisco's SD-Access for Distributed C...