FW Implementation - Design

Unanswered Question
Mar 6th, 2008
User Badges:

Hi All,

Please look into the attached Diagram. We have got some 3640 routers and 7507 BG router with Public Networks A throuh I as mentioned in the Diagram.

We are looking to introdue a Cisco ASA 5500 into the network for the Public Networks A through E and I and H. Public Networks F and G will not be behind the FW post implmentation.

We are thinking of introducing a Cisco 3560G-24 Switches to do the job.The implementation will also offload the Public Networks F and G from the BG(Border Gateway).

Please give me some inputs on this.



I am little confused on where to place the FW because the Implementation should be a first step for a near future redundant setup in terms of connectivity and HW.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Mohamed Sobair Thu, 03/06/2008 - 07:55
User Badges:
  • Gold, 750 points or more


The appropriate setup is to place a Firewall behind the GW which connects to the internet.

Could you clarify why Public Networks F/G is not behind a FW, and what is the rest of the public Networks represent.



subra4u Thu, 03/06/2008 - 08:06
User Badges:


Thanks for your response.

Public Networks F and G are Media (meaning voice)

Other Public Networks are for Data.Each Public network is atleast a /24 subnet.

Do we really need two L3 switches for deploy this ?

The BG router can only do Fibre Gigabit and not copper.

Thanks in Advance.



Danilo Dy Thu, 03/06/2008 - 08:15
User Badges:
  • Blue, 1500 points or more


Your planned setup is okay. No, you don't need a L3 Switch. Most firewall nowadays support 802.1Q trunking.

If budget is tight, you can use one L2 switch for initial setup (use VLANs), that is if the L2 switch has enough ports to connect the firewall, BG router, and A to I. Else you really need 2 x L2 switches, one that supports SFP for Fibre GE and other media to connect BG router, Firewall and F & G.



subra4u Thu, 03/06/2008 - 08:46
User Badges:

Hi Medan,

Thanks for the quick response.

With the current setup can we add additional link from the BG and connect it to another switch and run HSRP to bring failover.

Thanks & Regards



This Discussion