Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1130
Views
0
Helpful
4
Replies

Expressway C&E recommended network configuration

JacobMunson
Level 1
Level 1

‎03-08-2016 03:06 PM - edited ‎03-19-2019 10:50 AM

Hello all, 

While reviewing so Expressway docs I started to question the way I have been connecting my C&E servers to a network. All of the documents that I have found reference a configuration with two firewalls. This would obviously be best practice however I am wondering what the recommended configuration would be if only one firewall is available. I prefer to use the dual nic option on the E and with that assumption I figure there are 2 options.

Option 1

Expressway E LAN2 in the DMZ

Expressway E LAN1 on the internal LAN

Expressway C on the internal LAN

Option 2

Expressway E LAN2 on the external internet

Expressway E LAN1 oin the DMZ

Expressway C on the internal LAN

I can see pros and cons to both configurations and would like to here thoughts from the community.

Thank you all 

Labels:
0 Helpful
4 Replies 4

Manish Gogna
Cisco Employee
Cisco Employee

‎03-08-2016 11:04 PM

Hi Jacob,

Please check the following post related to similar query

https://supportforums.cisco.com/discussion/12538411/expressway-e-single-nic-or-dual-nic

Manish

0 Helpful

JacobMunson
Level 1
Level 1
In response to Manish Gogna

‎03-09-2016 08:52 PM

That looks like a good thread however it looks like there solution is to spin up a second DMZ network of the firewall. If a customer simply has a single DMZ network giving them the internet, One DMZ, and there LAN as there networks what would be the recommended configuration?

0 Helpful

devils_advocate
Level 7
Level 7
In response to JacobMunson

‎03-10-2016 01:51 AM

The recommended configuration is two firewalls, where the Exp-E LAN1 interface is also in a DMZ and a firewall exists between this and the LAN1 interface of the Exp-C node. This is recommended as it is more secure, you have a TLS zone between them anyway but not having a FW doing port filtering is more of a risk than having one so it is recommended.

It will work with no FW between Exp-E LAN1 and Exp-C LAN1 but its obviously less secure.

What type of firewall do they have?

Some allow you to create virtual systems within a single physical firewall unit so you can have more than one DMZ and using Vlans, separate the traffic. Palo Alto is a good example of where you can achieve multiple DMZ's within a single firewall, they use the concept of a Vsys (i.e. a virtual firewall).

Thanks

0 Helpful

JacobMunson
Level 1
Level 1
In response to devils_advocate

‎03-10-2016 05:33 AM

I definitely agree that 2 DMZ's is the best practice configuration and also agree that 2 DMZ's can be accomplished with a dingle firewall however as a consultant there are times when I don't have access to a customers network and they are not willing to add an entire network simply for the deployment of expressway. So with this limitation and from what other are saying I am guessing my option 1 configuration would be preferred. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents