02-24-2014 03:01 AM - edited 03-11-2019 08:49 PM
Hi,
Need help on configuration part of the attached FW-Design. or anyone can suggest what would be best security design in terms of DC network.
02-27-2014 06:14 AM
Hi,
You are right.
Can you help me to prepare sample configuration for this scenerio if you have time.
Note: There are two CE RTW.
02-27-2014 12:16 PM
I am sorry, but I am strapped for time at the moment. I can help you with bits and pieces of the configuration, but providing a full sample will be too time consuming.
If you post your configurations, or have questions about specific portions I can help you out.
--
Please remember to rate and select a correct answer
02-27-2014 10:20 PM
Hi,
I am ok, take your time. in the mean time I will prepare a sample config for your review.
02-27-2014 10:44 PM
02-28-2014 12:16 AM
How many VLANs will you have on the N5K switches? If you have more than 1 VLAN on them you will need to trunk the link to the ASA, meaning you will need subinterfaces on the ASA for the ports that go to the N5K switches.
--
Please remember to rate and select a correct answer
02-28-2014 12:53 AM
Hi,
There are lot of vlans in n5k. I like to configure default route to fw primary address from n5k instead of vlan configured on FW, will it work ?
exam.: inside vlan will configure between fw and n5k or port-channel between fw and n5k
same for outside also. is it feasible?
02-28-2014 12:59 AM
this will not work. Each VLAN will have its own subnet and therefore will require a default gateway within that subnet or (in certain configurations) require a route to the default gateway IP. In your setup you will need to use sub-interfaces on the ASA, each sub-interface will have an IP within the subnet of a specific VLAN and that IP will be the default gateway for clients on that VLAN.
--
Please remember to rate and select a correct answer
02-28-2014 01:25 AM
Hi,
If i configure all vlans sub-interface in FW, it would be huge processing on FW, then what is use of nexus(it has high throughput and backplane capacity).
My points are
> all vlan svi will configure on n5k as hsrp so all servers will point to n5k hsrp virtual ip address.
> internal traffic will be routed within n5k
> only external traffic will go to fw.
> for external route i will put a default route on n5k towards fw ip address.
02-28-2014 01:28 AM
If you do not require any traffic filtering / security between you LAN subnets then there is no problems doing that.
--
Please remember to rate and select a correct answer
02-28-2014 04:46 AM
Hi,
I do not require filtering within LAN. to/from external i need FW.
I think now its possible. if you have time pls. check my interface config...and if possible pls. update and let me know.
02-28-2014 07:57 AM
You are missing the redundant links to the N5K and the L2 switches (these would need to be in a portchannel). Also, you would need the following command to allow traffic between the MPLS interface and N5K since they have the same security level:
same-security-traffic permit inter-interface
--
Please remember to rate and select a correct answer
03-03-2014 02:46 AM
Hi,
Can you add redundant link configuration on FW to n5k and the L2 switches.
I am not sure what would be the exact port configuration between FW and n5k and between FW and L2 Switches.
Please add in my config_notepad
03-03-2014 03:47 AM
You would need to configure the ASA and the N5K as portchannels.
ASA
interface gig0/1
no shut
channel-group 1
int gig0/2
no shut
channel-group 1
int po1.10
vlan 10
security-level 100
nameif inside
ip add 10.10.10.1 255.255.255.0
int po1.20
vlan 20
security-level 90
nameif inside2
ip add 20.20.20.1 255.255.255.0
--
Please remember to rate and select a correct answer
03-03-2014 05:03 AM
Hi,
This configuration shows, vlans are created on FW, (client's default gateway is FW) but i wanted to configure vlan on n5k (Client's default Gateway would be n5k and nk5 will forward traffic to FW based on the inspection required or not( suppose some vlan doesn't required to go via fw and some are required)
Thanks...a lot for helping. If you give FW to L2 configuration also..
03-03-2014 05:14 AM
Then just remove the subinterfaces.
int g0/1
no shut
channel-group 1
int g0/2
no shut
channel-group 1
int po 1
security-level 100
nameif inside
ip add 10.10.10.1 255.255.255.0
(Client's default Gateway would be n5k and nk5 will forward traffic to FW based on the inspection required or not( suppose some vlan doesn't required to go via fw and some are required)
This is why I have suggested using VRFs several times. But this is your choice. I feel VRFs would be easier to use with regards to traffic seperation (that is a personal preference.)
--
Please remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide