Network Design

Answered Question
Jan 8th, 2010

Hi All,


I have a challenge recently to come out with a network design.


From the upstream, each customer will need a need to be in a VLAN so that the upstream provider can rate limit the customer per vlan. My network will consist of a DMZ zone (1 firewalls and 1 switch) and a Private zone (1 firewall 1 switch). The DMZ zone will use the IP addresses that the upstream has provided and the Private zone will use internal IP addresses. The servers DMZ zone will need to talk to the Private zone servers and vice verse.


Any suggestion on the detail on how to proceed with this setup? Below is the simple network diagram on the setup

Upstream router

        |

        |

        |

DMZ firewall

       |

       |

DMZ switch ---- Customer A (VLAN 1)

       |          ---- Customer B (VLAN 2)

       |

Private firewall

      |

      |

Private switch --- Customer A(VLAN 110)

                     --- Customer B (VLAN 120)

I have this problem too.
0 votes
Correct Answer by Marwan ALshawi about 7 years 1 week ago

as i told you you can configure the firewall in multiple contexts

i mean the DMZ firewall

internally you can have two subinterface or two differnt interface each in differnt VLAN

externally to the upstream router you will have a trunk link in other words interface with two sub interfaces

with multiple context you will have like two virtual firewalls each vlan/customer will use a context with differnt I subnet also differnt firewall policies

in this case there will be two inside IP address of the DMZ firewall each one will be the next hop of one customer for the default route

for communication with internal network use as you mentioned a route point to the private firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

good luck

if helpful Rate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rais Fri, 01/08/2010 - 11:12

The only question that comes to mind is why are two firewalls necessary for this setup? Are you limited by the number of interfaces on any firewall?

Thanks.

noobieee7 Fri, 01/08/2010 - 23:36

Hi Rais,

There is a need for two layers of firewall in the environment.

Marwan ALshawi Fri, 01/08/2010 - 15:49

i think there is no enough information,

anyway the connection from the DMZ firewall to the upstream router will be over one link or multiple links

one for each vlan ? if one link  how the up stream router will distinguishe between the two vlans for rate limiting ? is it by source address ?

if you have two interfaces between the upstream router and dmz firewall

and also i will assum no communications required between customer A and B, in this case you may need to consider using your firewalls to run in multiple contexts if its cisco firewalls

good luck

if helpful Rate

noobieee7 Fri, 01/08/2010 - 23:45

Hi Marwanshawi,

The DMZ firewall to the upstream router will be over 1 link, but it will be on a trunk so multiple VLANs will ride on it.

The challenge is that my upstream need to identify each customer via 1 VLAN so that they are able to rate limit the traffic, and on my end I need to allow each customer with servers on the DMZ zone and Private zone to communicate between each other.

I was thinking to have the DMZ firewall running on transparent mode and allow the DMZ switch to have router on a stick configuration with my upstream router, The servers on the DMZ zone will have 2 gateway, one to the upstream router for default route and one to the SVI of the DMZ switch for it to communicate with the Internal zone. And between the DMZ switch, Internal Firewall and Internal Switch, it will be pure layer 3.

But this design does not looks very elegant.

Correct Answer
Marwan ALshawi Sat, 01/09/2010 - 00:46

as i told you you can configure the firewall in multiple contexts

i mean the DMZ firewall

internally you can have two subinterface or two differnt interface each in differnt VLAN

externally to the upstream router you will have a trunk link in other words interface with two sub interfaces

with multiple context you will have like two virtual firewalls each vlan/customer will use a context with differnt I subnet also differnt firewall policies

in this case there will be two inside IP address of the DMZ firewall each one will be the next hop of one customer for the default route

for communication with internal network use as you mentioned a route point to the private firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

good luck

if helpful Rate

noobieee7 Sat, 01/09/2010 - 03:16

Hi Marwanshawi,

This is very informative. By chance would you know if it support HA setup and how many VLAN can I put on a single trunk interface?

And also, there is another type of cisco product, zone based firewall, are they alike?

Marwan ALshawi Sat, 01/09/2010 - 03:26

HA with multiple context they call it active/active mode you can search it in cisco.com

zone based firewall is a firewall feature runs above cisco ios router not ( firewall aplaince like ASA)

it is useful but if you have ASAs i would recommend you to use it as its specialized  and more reliable in term of throughput and CUP while you doing traffic inspection and NATing as well

ASA active active HA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml

zone based firewall:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

good luck

if helpful Rate

noobieee7 Sat, 01/09/2010 - 03:33

Hi Marwanshawi,

I did some reading up and found that the security context is at most 50 for Cisco ASA 5550. This means that at most I can have only 50 customers?

Marwan ALshawi Sat, 01/09/2010 - 03:43

you may consider cisco Cat6500 with firewall module FWSM will gives you 100 virtual interfaces and 100 context per module !!

with FWSM the VPN not supported but you can have VPN module in the 6500 if required also you may have mix in the DMZ you use 6500 with FWSM and in the private you use ASA i think you need to read about each product and compare the features with your requirements as long as you know what you need !!

good luck

Mohamed Sobair Sat, 01/09/2010 - 06:25

Hi,

Its one of the appropriate and simplest option to have the Firewall operate as transpparent and have each customer in the DMZ directly connected to the router as its gateway through the firewaal.

Between Both ASAs, you can have IPsec tunnel to have the users connected to 1st firewall have access to the DMZ network on the other side and vice versa.

HTH

Mohamed

Marwan ALshawi Sat, 01/09/2010 - 07:50

when you run the ASA in transparent mode you need to consider the following limitations:

- The ASA can terminate the IPSec tunnels for management purposes only. That means you cannot establish an IPSec tunnel to pass traffic through the Cisco ASA.

- WebVPN and IPSec remote-access VPNs are not supported. You can configure only one site-to-site IPSec tunnel, which needs to be set up in answer mode to respond to a tunnel request

- Because routing protocols are not supported in transparent mode, reverse route injection (RRI) is also not supported

Thank you

Actions

This Discussion