cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
99
Views
0
Helpful
6
Replies
Beginner

Lab Setup

Hi,

 

We have a few labs moving into our office, and I am planning to setup a dedicated Lab gateway device (Switch), and would want to firewall the lab subnets from the production traffic. I have attached a snapshot of two scenarios for your reference.

 

Scenario 1 - This is a quite common setup I have seen implemented in my company where the FWs directly connect to the production core switches, and the L3 VLANs are defined on the FWs. The dedicated Lab switches are only used for physical uplinks from each of the respective lab devices.

 

Scenario 2 - This is something I am trying to propose. My whole intention is to move the connection, and dependency away from the core switches. I want the FWs to directly connect to the Lab switches, and have the respective zones defined. 

 

COuld you please let me know if Scenario 2 would be feasible and a desirable setup? Also, please help me understand the pros and cons of both the scenarios.

 

Apologies for posting in the "Switching" thread as I could not find any design related thread.

 

Appreciate your guidance here.

 

 

Cheers

Mikey

6 REPLIES 6
Highlighted
Hall of Fame Guru

Re: Lab Setup

 

 

It's difficult to comment because it is not clear what path the traffic from a lab vlan takes eg. in solution 1 does the traffic goes direct to the firewall or does it go via the core switch etc. 

 

Some IP addressing would be useful. 

 

Jon

Beginner

Re: Lab Setup

Hi Jon,

 

 The lab segments are in the 10.1.0.0/22 IP segment. There are WAN routers upstream of the core switches which connect to MPLS circuits, and also an Internet circuit. Lab segments would need access to Corporate (Internal) segments via the MPLS circuits, and would also need access to Internet via the ISP circuit.

 

Traffic flow for Scenario 1 - Lab segments -> Core switch (Layer 2) -> FWs (Default gateway) -> Core switch -> MPLS or Internet

 

Traffic flow for Scenario 2 - Lab segments -> Lab gateway (Default gateway) -> FWs ->Lab GW -> Core switch -> MPLS or Internet

 

Hope this helps.

 

Cheers

Mikey

Hall of Fame Guru

Re: Lab Setup

 

Thanks for the details. 

 

I would not consider solution 1 because you are extending L2 from your lab to the core switches which is not a sensible thing to do and probably why you feel uncomfortable with it. 

 

Solution 2 is a lot better because you now have L3 isolation between your lab vlans and your production vlans so a lot safer in my opinions. 

 

One question though, why do you make the default gateway for the lab vlans the L3 switches and not just the firewalls ? 

 

Jon

Beginner

Re: Lab Setup

Thanks Jon. I thought of having the L3 VLANs defined on the switch for scalability purposes. Also, in terms of performance, wouldn;t it be a good idea to have the switches as the default gateway?

 

 

Cheers

Mikey

Hall of Fame Guru

Re: Lab Setup

 

Yes, that makes sense if you are going to be moving a lot of traffic in and out of the lab environment. 

 

As long as there is a defined L3 boundary between your lab and your production environment you should be fine. 

 

Jon

Beginner

Re: Lab Setup

Thank you for your feedback Jon. Much appreciated!!

 

Cheers

Mikey

CreatePlease to create content
Content for Community-Ad