Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

LAN design help and question

I have been instructed to put firewall in front of servers that connected to LAN switch. I do not manage this switch it manages by another team. All four servers are connected to separate VLAN on the switch with 1Gig speed. Server A: 10.10.5.x. Server B: 10.10.10.x. Server C: 10.10.15.x. Server D: 10.10.20.x

Does anyone configure this scenario before?

I don’t see how I can make this work by putting firewall in-between.

Current design:

ISP router/firewall>>>LAN switch>>>Servers. This looks fine to me.

Propose requirement: Cisco firewall 5520 will be use.

ISP router/firewall>>LAN switch>>firewall>>>switch>>>Servers.

How can I make this work? Please this is not a joke and need your advice.

I don’t think it is possible.



Community Member

Re: LAN design help and question

Hey Eric, Based on your message, I am not sure which problem you trying to solve:

1) Multiple VLAN's into one firewall: you can used one interface with 802.1Q trunking on the firewall and switch to segment out the VLAN's. You have 4 x 1GB + 1x100Mb on the 5520 so you would probably have to configure at least one trunk on one of the Gb interfaces. You may have a bottleneck issue on the Gb interface so probably best to configure this for the two least used server subnets.

2) Speed limitation: The 5520 has a max FW throughput of 450 Mbps. So if you are worried about the 4 Gb servers maxing out the connection, then you have to increase the size of the firewall.

In general, I am wondering myself about item 2 above, in a design which places a firewall at the core of the network. Firewall's just don't seem to be big enough (at a reasonable cost) to do this yet. If anyone has ideas, let me know.

Community Member

Re: LAN design help and question

Thank you Will and will test your idea out first. Also, looking into trensparent mode configuration. My issue is these servers belongs to three separate vlan subnet.

campus switch>>>5520 firewall>>another switch>>servers. Looking to implement

as it stand currently: campus switch>>>servers. each with 1Gig speed to the switch.



CreatePlease to create content