Re: Connecting WSA to 3750 switch, two conflicting Cisco documen

zheka_pefti · ‎10-26-2010

Hello everyone who supports or uses this section forum on Ironport web security appliances!
I'm under an impression that this area is poorly addressed but still hope to get some help.

I'm researching on WSA all possible deployment scenarios and came across two documents from Cisco, one is called "Community College Security Design Considerations"
http://www.cisco.com/en/US/docs/solutions/Enterprise/Education/CCVE/ccve_sba_security_design.pdf

and the other one is called "Cisco SAFE for Medium Enterprise Networks"

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/safemediumentnetworks.html#wp1229095

For me they have conflicting information related to connection of WSA to 3750 switch.

The first one says:
"WSA should connect directly to the Internet perimeter distribution switch using a VLAN that is different than the VLAN from where the client
traffic is coming" and recommends to "Configure the switch interfaces that are facing the downstream web clients, the
WSA(s), and the web servers as Layer 3 interfaces (routed ports or switch virtual interfaces [SVIs])."

The second one gives a diagram where all three devices - ASA, WSA and the core switch are located in one VLAN 101 (I believe this is one flat Layer 2 VLAN) and in the same L3 network - 10.125.32.0

How should I understand this and what is the correct way ???

Thanks,
Eugene

edadios · ‎10-27-2010

Hello,

"I'm researching on WSA all possible deployment scenario".

The two documents you referenced shows you two possible scenarios.

Both are correct.

One is applying to Medium Enterprise Design Profile.

The other applies to main campus and one or more remote smaller campuses interconnected over a metro Ethernet or managed WAN service. Each of these campuses may contain one or more buildings of varying sizes.

Having said that, you can always provide feedback to the document authors using the feedback tool down the bottom of the Cisco Web Document page.

"http://tools.cisco.com/cdc/feedbk/public/FeedbackAction.cdcfdb" , and provide the document url as you have done through this forum, so the authors can be notified of your concern.

I hope this helps you.

Regards,

Eric

zheka_pefti · ‎10-27-2010

Great and rather polite reply
Thanks anyway, Eric.
My primary intent was not about finding faults with Cisco guides but rather finding a bullet proof design scenario to deploy a pair of WSA for the customer. They have 6500 core switches facing ASA internet perimeter firewall and one of the proposed deployment scenarios is indeed place 3750 stack in between them. My question now is should I configure all 3750 interfaces belonging to the same L2 and L3 VLAN as it is describe in the second document, i.e. the one for Medium Enterprise Design ?

Eugene

edadios · ‎10-27-2010

Hello Eugene,

That will work.

The best thing to do will be to get in touch with a Cisco Ironport SE, who can look into your network and design requirement, and work with you on finding any further bits that may be missed.

If you can provide the serial number of the device and your mail contact, I can forward to you the contacts that may be able to assist further with your design query.

Regards,

Eric

zheka_pefti · ‎11-06-2010

Hi Eric,

It has been a very hectic week for me but I didn't forget to come back the original question I posted here.

These are the S/N of two WSA appliances purchased sometime recently:

P/N S370-R-NA,

S/N - A4BADB33EFD9-8KQ7HN1

S/N - A4BADB34149F-3KQ7HN1

Eugene

edadios · ‎11-08-2010

Hello,

Please send me a mail, and I will copy the SE person for the account to see if he can assist you.

edadios@cisco.com

Thanks,

Eric

Connecting WSA to 3750 switch, two conflicting Cisco documents