cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1002
Views
15
Helpful
9
Replies

Network Design

grochowskir
Level 1
Level 1

Hi,

 

I have a question about a network design to accomodate for both our employees and external guests. We are considering a wireless solution (not Cisco), and would like to set up two SSIDs on all of our APs:

-Employee ---> PEAP; access to internal resources --> VLAN 10

-Guest --> unsecured, open wifi --> VLAN 20 (http, https, DNS allowed only)

My understanding is that i will need to allow both vlans on all links leading to each AP via trunk. This isn't a problem.

My concern is that our Guest Vlan is fully isolated from our LAN resources and came up with a tentative design (see attached). I am looking at some guidance here as to whether i am on the right track here? To be honest, i dislike the fact that I am bridging the LAN directly with the DMZ without the firewall in between and only VLAN isolation with ACLs. Also, the use of PVLANs isn't supported by our access layer switches (Cisco 2960S).

Based on the attached design:

VLAN 20 within the DMZ is isolated from other DMZ networks via ACLs. 

The way the traffic for Wifi guest would flow is as follows:

AP--> Access Layer Switch --> Core switch --> DMZ switch --> Firewall --> Internet

Would it be more beneficial to connect to the firewall directly for Guest Wifi traffic:

AP --> Access Layer Switch --> Core switch --> Firewall --> Internet

Any advice is greatly appreciated.

Thank you.

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

That design looks familiar :-)

Basically you only want to get to or from the DMZ via the firewall and not direct from inside so your concerns are valid.

One thing I am not clear on though.

You say if you connect vlan 20 to the DMZ switch you need acls to control traffic but that DMZ switch shouldn't have any SVIs on it ie. all the L3 interfaces for the DMZ vlans should be on the firewall and not on the switch.

Can you clarify what you mean ?

Jon

Hi Jon,

Good to hear from you old friend. So just to clarify, currently there is a VLAN that connects the firewall (Sonicwall) to the DMZ switch (3750x). Lets call it VLAN 50. The DMZ switch contains several more SVI's on it - one of them being the wireless Guest VLAN 20. Also, the switch runs the DHCP server for this wireless Guest VLAN 20 as well. There is als an ACL that restricts traffic from VLAN 20 to any other VLANs present on this DMZ switch and only allows for connectivity out to the Internet. Only a handful of ports are opened ie, http, https, dns.

As a side note, we currently have Cisco wireless controllers in place -foreign (lan)/anchor (dmz) with EoIP in between from LAN to DMZ. Moreover, we are looking to get rid of this solution and go all controller-less.

Yes, this could've been done differently. I could have created all of the SVIs on the firewall for the DMZ zone, however, since it is a Sonicwall, i wasn't getting consistent results (especially during firewall failovers active/passive). If this was a Cisco ASA, I would select this path.

Does this help you Jon?

As always, thank you very much for your valuable input!

Okay two separate things.

1) having the DMZ vlans (not vlan 20) routed on the switch is not a good idea but you have already said it is because of the firewall so I know you understand that.

Just had to point it out :-)

2) even more so than before I would try if possible not to have vlan 20 also routed on the DMZ switch because that vlan exists on the inside of your network.

Personally I would try to connect the core switch direct to an interface or subinterface on the firewall for vlan 20.

If you had a spare firewall interface you could run extra links from the core switches to the WAN stack to the firewall.

If you don't have extra links you could make the existing links to the WAN stack trunks and pass both vlan 10 and 20 to the firewall but then obviously you would need subinterfaces on the firewall to terminate both vlans.

This would also bring up the issue of DHCP ie. can your firewall do DHCP for the guest vlan ?

Jon

 

Yes, I was thinking of this path as well, however, I just couldn't get passed the different between the two:

Core switch --> DMZ switch --> firewall --> internet

Core switch --> firewall --> Internet

I was thinking that ultimately you end up connecting to the firewall anyways and that in my scenario it would be cleaner to connect to the DMZ switch from the Core directly since all of my DMZ networks are present there already. 

However, I do see your point. Even though in both scenarios the guest vlan co-exists with my lan production vlans (on the access layer and core layer), connecting VLAN 20 to the firewall directly makes more sense. You are not bridging your LAN directly with the DMZ zone. There is also less of a chance of misconfiguration on the DMZ switch where DMZ traffic would be allowed to the LAN and vice versa.

Thank you so much for your prompt response! I do appreciate your valuable input. 

ooops..one more thing I need to verify, i assume that i need to create ACLs forbidding access to LAN vlans on access layer switches and core switches? Currently this ACL exists on the DMZ switch because of an earlier mentioned design.

Thank you again.

 

Not sure I follow.

Do you mean acls on the DMZ switch ?

If the L3 interface for the guest vlan is on the firewall then you don't need any additional acls because the firewall controls the access.

Is this what you meant ?

Also just to mention again if you do terminate the guest vlan on the firewall then it has to be able to do DHCP for the clients.

Jon

Since the vlan would now exist on the access layer and core layer switches and not on the DMZ switch, I was thinking adding an extra layer of security and apply similar ACLs (as on the no longer used DMZ switch at that point) and apply them as close to the edge as possible. However, i guess i might be just too paranoid and simply might simply be overcomplicating things at that point.

I am aware of the fact that vlans are isolated broadcast domains and that one vlan can't talk to the other vlan without some sort of a L3 component, however, I need to ensure that I do follow the best standard here and that our LAN is completely secure from the public wireless guest traffic. 

Also, yes, the firewall is capable of assigning DHCP.

 

Thank  you.

I'm not sure where you would apply the acls unless you mean to existing internal SVIs but I don't think this gives you anything.

At L2 vlans keep everything separate.

At L3 VRFs are useful but your guest vlan doesn't have a L3 SVI because the point of control is the firewall interface.

So any traffic to and from the guest vlan has to go via the firewall and this is where you would stop any guest to other internal vlan traffic and allow only internet traffic.

What you are in effect doing is creating a separate DMZ for your guest vlan, the only difference being the end users are connected to your internal infrastructure.

I'm not sure what else you could do.

Jon

Jon, thank you for your help and your time. This really helps a lot!

Review Cisco Networking for a $25 gift card