05-24-2012 04:48 AM - edited 03-07-2019 06:52 AM
Hi Everybody.
I have question regarding the best practice design for my firewall and routing design. I need to create 30 new vlans that needs to be filtered in the firewall. So the traffic should pass through the firewall. These 30 new vlans will have their own subnets (/24). My question regarding the design: Should I create the VLAN´s on the router or as sub interfaces on firewall? If I create the new vlans as layer3 on the router the clients will be connected as "directly connected" and that means that the traffic will only go through the router. Can I solve this by doing static IP routes that point to the firewall IP on the router or will that be overruled by the "directly connected" status?
Drawing attached.
ASA5550 model
05-24-2012 05:37 AM
looks like u answered your question...created the subinterfaces on the firewall and they will all be filtered from each other...the pain will be the access lists rules...good luck
05-24-2012 05:44 AM
Definetly create subinterfaces on the FW. That should be simple and secure. Try and move as much L3 security to the FW. Let the router just route packets Dont burden the poor thing. Also , you said 30 vlans.that would be a lot of traffic then. Make sure you select the right HW (router, switch) etc. The FW 5550 is a good one
05-24-2012 05:56 AM
Thanks for the reply. So basicly you are telling me that this is best practice: Create 30 vlans/subinterfaces spreaded on two physical interfaces on the ASA with 30 access-groups/lists. Create two trunk interfaces on the router (layer2) and route the specific traffic to the the firewall. Do I need to assigne IP address to router for the specific subnets?
05-24-2012 06:01 AM
truck is correct, but u will need at least one subnet that is the same on the router and the firewall...this will allow you to route to the other subnets configured on the firewall..
05-24-2012 06:06 AM
Will that mean that I need to assign 30 diffrent IP address on the router if I make 30 subnets for the 30 vlans?
05-24-2012 09:04 AM
no, just one....one with the highest security level....then on the router, route the other sub interfaces defined on the firewall to the interface connected on the firewall to the router....i know it sounds confusing...
05-24-2012 01:39 PM
Thx for reply. Can I solve this by creating /30 subnet for routing reason between the router and firewall? But what about if I want to use two physical interfaces with 15 VLANS each. Do I need to create two IP´s on the router?
05-24-2012 02:00 PM
yeah, u can create a /30....on the second, that is a good question....i havent tried that before but i would think you would route to a particular interface where the sub interfaces are on...so yeah, two IP on the router will have to be configured...this is kind of unique...let me know how it works out...
05-25-2012 12:44 AM
I thing I can solve this by creating two /30 subnets for each phycial interface.
On the firewall
Interface1: Subinterfaces/VLAN 1 to 15 (All VLANS has there own /24 subnet) - VLAN 31 with /30 subnet with the higest sec level. VLAN 31 is created to communicate with VLAN 1 to 15 from the router
Interface2: Subinterfaces/VLAN 15 to 30 (All VLANS has there own /24 subnet) - VLAN 32 with /30 subnet with the higest sec level. VLAN 32 is created to communicate with VLAN 15 to 30 from the router.
I hope this will work :-)
05-25-2012 04:24 AM
Please see at the attached drawing. Can I get some respons to that one? Will the traffic flow be like that?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: