I have been tasked with creating a DMZ from scratch. I am a bit of a network newb, so please forgive my ignorance. I am to connect two Cisco 4948E-F switches to two CheckPoint firewalls. I will be using two 10g uplink ports from each switch to cross connect to each FW – though they will only be 1g as the FW’s don’t have 10g ports. I will create a dot1q trunk for each connection going from the switches to the FW’s. I will also create a port-channel between the two switches. 3 VRF’s will be created – web, app and db. 3 SVI’s will be created for each VRF. My questions are:
1. I planned on creating sub-interfaces for each VRF, but it doesn’t appear that the 4948E-F supports sub-interfaces. How do I direct traffic coming from the FW through the trunk to a particular VRF?
2. How do I get the traffic from one VRF to pass through the FW to travel back down to the other VRF’s? I would think the routing would all happen within the switch since all SVI’s live on those switches.
These are my initial questions and I’m hoping this starts a thread that I can continue to use and ask questions.
Thanks in advance to all you senior network engineers in helping me keep my job.