So, now I have been tasked with combining two networks into a single network infrastructure.
The overriding factors are security, neither networks can see each other at all.
Current equipment is a handful of 3560,3750, but mostly 2960s.
We are running the 3560 and 3750s as our cores/distribution switches. The 2960s are access switches.
We have a new 5525-x ASA. They are also going to buy 2 4500-x and 5 3650 switches. The 4500-x will replace the cores, and some of our access switches will be replaced by the 3650s.
I need to run them both on the same equipment, but neither networks can see each other. First off I was looking at VLANs but I don't think this will resolve my dilemma. As well both networks will attach to the same ASA, if that wasn't already obvious.
So, Internet-------100MB---- ASA -------1GB----- Core 1-----10GB-----Core2----10GB----Core3
Off of each core are several 2960s @ 1GB speed, however some will get 10GB.
I'm pretty sure VRF is the way to go but being "VERY" limited to VRFs I am looking for some input.
Currently both networks are up and running, on separate equipment so moving each building a building at a time won't be an issue.
Any help would and will be greatly appreciated.
So, once again I'm seeking some help from the community..
We are trying to combine a production network and a welfare network. The welfare network is basically a free for all when it comes to surfing. We have untangle on the edge but for the most part it's anything goes.
What we are trying to do is utilize the ASA with SourceFire to assist with preventing unacceptable content being download, the ususal stuff when you give people access to an unrestricted network :)
Currently the Welfare network runs on 2960 switches, with a 4006 core/distribution switch.
The production network looks like the image I've attached. All the access switches are 2960's and the Core/Distribution switches are either 3560,3750, or recently a 3850 for the main Core switch. The one that physically attaches to the ASA.
I've been researching how to do this the easiest way, but need a little advice. I am looking at VRFs for this.
I've tried to mock this up but we are slim on layer 3 switches to use and I must admit GNS3 is not my favourite thing to use. It's never really worked well for me and and I am far to busy in the production network to try and resolve all the issues with GNS3.
Now, we only have one connection currently from the Core (3850) to the ASA, I figure I add a second connection using layer 3 ip address. We currently use 10.3.0.10 as the ASA inside interface and 10.3.0.4 on the Core. I figure something like 10.4.0.1 (Core), and 10.4.0.2 (ASA) with a /30.
So, WIFI would be the new connection and Corp would be the old connection.
From what I can tell, below is how I would configure the 3850.
ip vrf WIFI
ip vrf CORP
inter vlan #
ip vrf forwarding "WIFI/CORP"
ip address x.x.x.x x.x.x.x (of the Vlan)
router ospf 1 vrf CORP
network x.x.x.x x.x.x.x area 0
router ospf 2 vrf WIFI
network x.x.x.x x.x.x.x area 0
I am wondering if this will work. Would there have to be some sort of configuration on the other two core/distribution switches?
The WIFI and Corp cannot see each other at all!!!
In regards to DHCP, DNS, and our new ISE server (This is going to be the captive portal page for WIFI for self registration), how to I go about allowing both Corp and WIFI use the same servers?
Any help would be greatly appreciated. I have posted about this before, unfortunately it seems I am a slow learning when it comes to VRFs.
VRFs ie. VRF-LIte is the way to go.
Make sure you get the right feature set on your L3 switches to be able to run it.
On the 4500 you need one VRF and you can leave the other network in the global routing table or if you want you can have two VRFs, up to you and either would work.
On the ASA if you have spare interfaces then use one per network, if you don't you can use subinterfaces on the ASA instead.
You could if you wanted use just the connection to the ASA for both and do route leaking but I think separating the traffic all the way to the ASA is probably a better way to do it.
Up to you though.
Jon and Reza,
Thank you for the quick reply. The ASA has 7 spare SFP connections. There is nothing to share between the networks other than the physical hardware for connectivity. Other than that we don't want them to have any visibility into each other.
Now on the VRF-Lite side of the world, any good documentation, examples I could use to read up on this. I have the basic concept down but I've never had to setup an VRFs before.
When it comes to the ASA, how does that work with VRF. Or will it separate it at the core prior to the ASA if I have multiple connections to the ASA?
It's quite an old configuration document but this should get you started -
bear in mind you don't need all the steps ie. really all you need is to define the VRF and then place each SVI into the correct VRF ie. you don't need import maps etc.
It's really pretty simple but by all means come back if you need help with it.
So, further to this, I grasp the VRF inside, but when it hits the ASA even on separate ports how does it distinguish between the interfaces. I have VPN clients that connect to the one network but there will be none on the other network. I guess you could simply call it a quest networks as everyone will get a captive portal page and be forced to register to access the internet.
Not sure I understand about distinguishing interfaces.
Each inside interface on the ASA will connect to the L3 switch and you place the new network port on the switch into the new VRF if you use a L3 port, otherwise place the SVI into the VRF.
The firewall then would have routes via the relevant interface to the subnets on the switch.
Sorry, missed the bit about the ASA.
Each VRF has it's own routing table so each network can have a separate default route.
So you can run two connections from the ASA to your L3 switch and place them into the correct VRFs and everything will be completely separate.
Note I keep saying VRFs but as I said before you only actually need one VRF and you can leave one of the networks in the global routing table ie. no VRF and they will still be completely separate.
It's really a matter of preference as to whether you do that or use two VRFs.
Like I say you could use just one connection to the ASA but then you would need to leak the default route between your VRFs and traffic for both networks would share the same link.
Would be interested to hear Reza's comments on that but I think it easier to use separate interfaces on the ASA because that means you have acls on the ASA per network ie. not mixed and you do not need to worry about route leaking.
Hi Jon / Stacey,
I agree, since the firewalls have extra available SFP ports, she should use one physical interface per VRF (no need to worry about sub-interfaces). Regarding 2 VRFs or one VRF and the global, I have seen customers using the global for management only and use VRFs for customers traffic, but either design will work fine.
So, VRF is the way to go but I would ask, is the Internet access the only resource these 2 networks are going to be sharing? How about inside resources i.e servers, storage, etc? Do these 2 networks need needs to access each other resources? Do each network have their own public IP segments?
If the answer is that Internet is the only resource to share, than using VRFs the design can be a lot simpler, if not it can get complicated.
Now that I think about it we are also getting a ISE server, it needs to be accessible by both networks, I will assume that changes how easy this will be.
That is exactly the reason I asked about sharing other resources beside Internet in my first post, because when you merge 2 organizations together, there is very good change that they need to start sharing resource. After all, they are both one organization after the merger. Now if you are going to have servers that need to be accessible to both orgs, you may need to put them in a separate subnet and share the subnet using VRF export/import at core.
Thanks for your information, I guess a better understanding of what I am trying to do would help. I will have a leg of the ISE server in both networks, so I will create a separate VRF for the ISE server, I will also create a DHCP server for the "guest" network. Do I really need an internal DNS server? The only item in the "guest" network that needs to be resolved would be the ISE server. All other site, connections are to the internet. There will be no intranet on that side (guest network).
What we are looking for is the ISE to authenticate users with a captive portal page, so they have to register their devices. Once that is done the will have basically full access to the internet (They will travel thru the ASA and SF DC for blocking of content that is offensive or illegal). Other then that they won't be scanned for AV or nothing. So if that side goes down because of a network outbreak it is not huge concern as long as it cannot get to the business network.
I agree with Reza, this complicates it a bit.
The issue with route leaking is that now you need the existing network to know the new subnets ie. have routes so traffic can be sent to the ISE server.
Or you could place the ISE into it's own VRF (which may be what Reza is suggesting) and then share that VRF between the existing network and the new VRF.
I don't think you will be able to use static routes in the VRF and global routing table because usually the next hop has to be beyond the L3 switch ie. not another interface on the same switch or at least it used to be like this, haven't done it in a while.
You really need to work out exactly what services are needed for the new network eg. in addition to ISE what about DHCP, DNS etc.
There may be a better solution depending on just what needs sharing between the networks or if it really is just an ISE server and nothing else it may be better to just have a separate ISE server for them.