Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SVI for Servers & User VLANs

Hello,

I'm deploying a ASA as  DATA CENTER FW with main goal of ensuring that:

1. All end-user traffic to servers is passed through the FW/IPS.

2. All user-user traffic should pass through FW/IPS (there is also a requirement to block all inter-dept. traffic)

Currently I'm setup with a 6500 core where all users (access layer switches) are terminating (collapsed core setup) and all servers terminate at Nexus 5K which has uplinks to 6500. As of now I've SVIs for all VLANs on the core.

My question is with the ASA, would it be better to place all SVIs on the ASA as default gateway "or" have something like VRF to keep SVIs on core and have them passed to FW for further processing?

Thanks

Regards

Adnan

2 REPLIES
VIP Green

SVI for Servers & User VLANs

2. All user-user traffic should pass through FW/IPS (there is also a requirement to block all inter-dept. traffic)

When you say all user to user traffic should pass through the FW, do you also mean users that are located within the same subnet?

Whether to use VRFs or to set the ASA as the default gateway depends on requirements.  If some inter subnet traffic needs to communicate with eachother without having to pass through the firewall then VRF is the way to go.  If all traffic regardless of subnet should pass through the ASA then perhaps setting the ASA to the default gateway is what you would like to do.

But then you need to also consider the future.  Is there a possibility that you will need to allow intersubnet or VLAN traffic to communicate directly with eachother without going through the firewall, then it might be best to setup the network using VRFs now, while still sending all traffic through the ASA and then in the future edit the routing to allow for traffic leaking between subnets.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

SVI for Servers & User VLANs

Thank you Marius.

No, users on same subnet (department) would not have to pass through the FW.

What I'm looking is all traffic from any subnets should pass through FW/IPS before communicating with devices in other subnets (whether it is server-server or user-server).

I've a requirment that users on one subnet should not communicate with users on other subnets at all. No user VLAN should pass traffic to another user VLAN, all user VLANs should only be able to communicate with SERVER VLANs.

One more questions I've is would it better to connect the ASA to the L3 core (if go ahead with VRFs) or L2 Server Aggregation layer (if I go ahead with a L2 FW)?

91
Views
5
Helpful
2
Replies
CreatePlease login to create content