We have a few labs moving into our office, and I am planning to setup a dedicated Lab gateway device (Switch), and would want to firewall the lab subnets from the production traffic. I have attached a snapshot of two scenarios for your reference.
Scenario 1 - This is a quite common setup I have seen implemented in my company where the FWs directly connect to the production core switches, and the L3 VLANs are defined on the FWs. The dedicated Lab switches are only used for physical uplinks from each of the respective lab devices.
Scenario 2 - This is something I am trying to propose. My whole intention is to move the connection, and dependency away from the core switches. I want the FWs to directly connect to the Lab switches, and have the respective zones defined.
COuld you please let me know if Scenario 2 would be feasible and a desirable setup? Also, please help me understand the pros and cons of both the scenarios.
Apologies for posting in the "Switching" thread as I could not find any design related thread.
Appreciate your guidance here.
It's difficult to comment because it is not clear what path the traffic from a lab vlan takes eg. in solution 1 does the traffic goes direct to the firewall or does it go via the core switch etc.
Some IP addressing would be useful.
The lab segments are in the 10.1.0.0/22 IP segment. There are WAN routers upstream of the core switches which connect to MPLS circuits, and also an Internet circuit. Lab segments would need access to Corporate (Internal) segments via the MPLS circuits, and would also need access to Internet via the ISP circuit.
Traffic flow for Scenario 1 - Lab segments -> Core switch (Layer 2) -> FWs (Default gateway) -> Core switch -> MPLS or Internet
Traffic flow for Scenario 2 - Lab segments -> Lab gateway (Default gateway) -> FWs ->Lab GW -> Core switch -> MPLS or Internet
Hope this helps.
Thanks for the details.
I would not consider solution 1 because you are extending L2 from your lab to the core switches which is not a sensible thing to do and probably why you feel uncomfortable with it.
Solution 2 is a lot better because you now have L3 isolation between your lab vlans and your production vlans so a lot safer in my opinions.
One question though, why do you make the default gateway for the lab vlans the L3 switches and not just the firewalls ?
Thanks Jon. I thought of having the L3 VLANs defined on the switch for scalability purposes. Also, in terms of performance, wouldn;t it be a good idea to have the switches as the default gateway?
Yes, that makes sense if you are going to be moving a lot of traffic in and out of the lab environment.
As long as there is a defined L3 boundary between your lab and your production environment you should be fine.