Physical Connections

desmond.s · ‎04-12-2012

I have a design attached.

My question is if I do not want to purchase any additional switches can I connect the devices to the 6509 and put them in their own separate vlans?

I am a little fuzzy about the physical connections needed to make this design work as it is, any help is appreciated.

Thank you.

danbowencisco · ‎04-12-2012

Hi Desmond,

So are you talking about having each FW and router in its own VLAN?

Normally you would have a VLAN for the outside DMZ, a VLAN for the inside DMZ, then an external VLAN for the routers and multiple internal VLANs.

If you connect the network as you have physically detailed, not all VLANs will be on the switch.

Normally, all devices would be connected to the switch and then your routing would take care of traffic flows.

If you can be a little more specific about what you want to achieve, I can help you put together a design.

Thanks,

Dan

desmond.s · ‎04-12-2012

Daniel thanks for the response.

The vlans on the document needed to be moved up one level to show how I want to segment everything. I know I can purchase additional switches to make this happen but I wanted to try and accomplish this without spending any additional funds.

Thank you.

desmond.s · ‎04-12-2012

Daniel

For clarity 6 physical connections to 6509.

HSRP 2951

HSRP Cisco FW

HSRP Checkpoint

Are there any physical connections from the checkpoint directly to the Cisco Fw and from the Cisco Fw to the 2951 as designed?

danbowencisco · ‎04-12-2012

there doesnt have to be, no. You can logically seperate these devices without the need to physically seperate.

desmond.s · ‎04-12-2012

Dan

Thank you!

You have been a great help!

Like I said I was fuzzy about how to connect the devices and you have cleared that up in a matter of minutes.

I hope this site continues to have great resources such as yourself to assist myself and others with issues that have us up at night scratching our heads....

danbowencisco · ‎04-12-2012

you will also need your routers and FW's all directly connected to your switch for VRRP/HSRP to work (if that is how you will configure them).

Dan

danbowencisco · ‎04-12-2012

Would it not suit your needs if you directly connected all devices to the 6509 and then VLAN'ed them off there? For example, as long as each of your required networks sit in their own dedicated VLANs, you have no need to purchase any additional switches.

I would have your 6509 as the only switch, then an inside DMZ VLAN, an outside DMZ VLAN, an OUTSIDE VLAN (WAN), management, internal networks etc. Then by configuring your routing correctly, traffic passing through the network layers would be firewalled as you would like.

Basicially you are segregating it logically instead of physically.

Dan

PS - feel free to ask me if I havent explained anything too well.

desmond.s · ‎04-12-2012

Daniel

For Clarity, 6 physical connections to the 6509.

HSRP 2951 connections

HSRP Cisco FW connections

HSRP Checkpoint connections

Logically Vlan everything and no physical connections from one device to another.

danbowencisco · ‎04-12-2012

yeah. If you want to run HSRP and VRRP you will have to connect them to the switch so that the hello traffic can be sent to the other host.

Dan

PS - any other questions, drop me a line at danbowen@email.com

Dan