I have a question around a configuration that I wanted to throw out there and get some feedback on what I should do to satisfy this requirement.
The requirement is to securely isolate traffic between our traditional office network and our R&D network. These networks share the same physical hardware, and consist of multiple class c networks. An internally facing DMZ will be placed between the Office and R&D network to reach shared network services from both sides. We had a breach, where a user introduced a virus in our R&D network that propagated to our office network.
In this scenario the desired result would allow the R&D network to freely communicate with other R&D networks without going through a firewall, and the same goes for the Office network. However, when a device from the R&D Network tries to go to a network belonging to 10.0.1-49.X it is sent to the DMZ first. The DMZ then determines if it will drop or route the traffic based on rules. The same thing goes for office traffic trying to directly reach R&D.
Office Network (10.0.1-49.X)
10.0.10.0 /24 – Accounting
10.0.11.0 /24 – HR
10.0.12.0 /24 – Purchasing
10.0.49.0 /24 - IT
R & D Network (10.0.50-99.X)
10.0.50.0 /24 – R&D Lab
10.0.51.0 /24 – R&D Engineering
10.0.52.0 /24 – R&D QA
10.0.99.0 /24 – R&D Widgets
10.0.100.0 /24 – DMZ IP = 10.0.100.254
Cisco 6504 - Campus
3750X-48-TL Access Switches
5520 ASA Firewall
I have been thinking of trying VRFs, but not real familiar with it. Something like: vrf for office network; vrf for R&D, and vrf for DMZ. Could someone please provide some examples or propose a better solution to satisfy this requirement?
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
VRF can be use to create multiple L3 networks on the same hardware (sort of the L3 version of L2 VLANs).
NB: Actually I had worked at a large enterprise that used VRF for something almost identical, isolation of developer subnets from corporate subnets across a campus (also used VRF for guest Internet too).
We later also found VRF a nice way to merge an acquired company network into our network. We would run prior company's networks as one VRF and the to-be-migrated-to corporate network as another VRF on same hardware.