Currently I have a 2 tier firewall setup as below.
FW - FW (PUBLIC)
SW - SW (PUBLIC)
FW - FW (PRIVATE)
SW - SW (PRIVATE)
The public firewalls are on an active-passive setup and are used to control the traffic between the Internet and Public switch.
The private firewalls are on an active-passive setup and are used to control the traffic between the Public and Private switch.
This setup will be used to serve different customers on a shared environment.
My query is that should I create the SVI for different customers on the switches or create sub interfaces on the firewalls for different customers?
If I create the SVI on the Public and Private switches than I will have to create multiple ACL which operationally might not be so feasible to managed.
If I create the sub interfaces on the Public and Private firewalls, then I cannot do rate-limiting as the firewalls currently do not support it.
Anybody have any suggestions on how to optimise the above setup or any other best practises?
One final point. The advantage of having 2 NICs per server in the way i was talking about is that traffic does not need to keep bouncing off the inside of the public firewalls ie. you have a direct path between the servers and the internal network, via the private firewalls obviously.