Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
321
Views
5
Helpful
2
Replies

SVI for Servers & User VLANs

Adnan Fakruddin
Level 1
Level 1

ā€Ž02-06-2014 05:35 AM - edited ā€Ž03-11-2019 08:41 PM

Hello,

I'm deploying a ASA as  DATA CENTER FW with main goal of ensuring that:

1. All end-user traffic to servers is passed through the FW/IPS.

2. All user-user traffic should pass through FW/IPS (there is also a requirement to block all inter-dept. traffic)

Currently I'm setup with a 6500 core where all users (access layer switches) are terminating (collapsed core setup) and all servers terminate at Nexus 5K which has uplinks to 6500. As of now I've SVIs for all VLANs on the core.

My question is with the ASA, would it be better to place all SVIs on the ASA as default gateway "or" have something like VRF to keep SVIs on core and have them passed to FW for further processing?

Thanks

Regards

Adnan

Labels:
0 Helpful
2 Replies 2

Marius Gunnerud
VIP
VIP

ā€Ž02-06-2014 05:55 AM 

2. All user-user traffic should pass through FW/IPS (there is also a requirement to block all inter-dept. traffic)

When you say all user to user traffic should pass through the FW, do you also mean users that are located within the same subnet?

Whether to use VRFs or to set the ASA as the default gateway depends on requirements.  If some inter subnet traffic needs to communicate with eachother without having to pass through the firewall then VRF is the way to go.  If all traffic regardless of subnet should pass through the ASA then perhaps setting the ASA to the default gateway is what you would like to do.

But then you need to also consider the future.  Is there a possibility that you will need to allow intersubnet or VLAN traffic to communicate directly with eachother without going through the firewall, then it might be best to setup the network using VRFs now, while still sending all traffic through the ASA and then in the future edit the routing to allow for traffic leaking between subnets.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Adnan Fakruddin
Level 1
Level 1
In response to Marius Gunnerud

ā€Ž02-06-2014 06:43 AM

Thank you Marius.

No, users on same subnet (department) would not have to pass through the FW.

What I'm looking is all traffic from any subnets should pass through FW/IPS before communicating with devices in other subnets (whether it is server-server or user-server).

I've a requirment that users on one subnet should not communicate with users on other subnets at all. No user VLAN should pass traffic to another user VLAN, all user VLANs should only be able to communicate with SERVER VLANs.

One more questions I've is would it better to connect the ASA to the L3 core (if go ahead with VRFs) or L2 Server Aggregation layer (if I go ahead with a L2 FW)?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card