11-30-2011 01:09 PM - edited 03-11-2019 02:57 PM
Hi there,
I am new with ZFW and I would appreciate any hints for my network design ;-)
I am trying to do the following:
at the moment, I have a router with about 9 VLANs containing workstation-VLAN, printer-VLAN, notebook-VLAN, testlab-VLAN etc etc...
On each of the VLAN-Subinterfaces on my router I have got an own in-ACL and OUT-ACL (extended) with reflect- and evaluate-statements.
In addition I have two uplink-Interfaces (because of redundancy).
Basically the VLANs should be separated from each other, but the ACLs also contain single permits for services/ports/protocols from one VLAN into another VLAN.
I think, the only solution to implement this in ZFW is, to design 9 different zones for the VLANs and 1 zone for the "outside"-Interfaces.
Then I have to create two class-maps resp. policy-maps for each vlan and also two zone-pair statements (in-out and out-in) for each vlan.
Or is it easier to bundle certain services, create a CMAP out of that and apply a certain ACL contain IP-Adresses from all VLANs doing the same service?
e.g.
class-map type inspect match-all cmap_smtp-allow
match access-group name smtp_allow
match protocol smtp
asr_1001#sh access-lists smtp_allow
Extended IP access list smtp_allow
10 permit tcp any host 74.125.39.16 ! smtp.googlemail.com
Do You have any suggestions what does make more sense here?
Thanks,
Stefan
Solved! Go to Solution.
11-30-2011 01:26 PM
Hello Stefan,
I do not see why the ZBFW feature cannot be implemented here, in fact as you know ZBFW is really flexible so it will adapt to all your company needs.
Just to let you know if you create 9 different zones, you will need to create a zone pair policy for each different vlan pair that need to comunicate between them.
Please rate helpful posts.
Regards,
Julio
12-01-2011 09:28 AM
Hello Stefan,
That is correct if you have 9 different zones you will need a zone-pair for each vlan communication between different zones, the configuration will be longer but ZBFW it is going to be more flexible and you will have more granularity whit your network enviroment.
Other thing you can do is to place some of the vlans on the same zone so they have communication, Vlans on the same zone can comunicate with each other by default.
So in this case you will definetly need to think about if you are looking something easy to perform or something secure and really flexible.
Hope you have a wonderful day.
Regards,
Julio
12-01-2011 10:18 AM
Hello Stefan,
My pleasure, you will need the Zone-pairs 100%, without them you are not going to have communication between those vlans, that is the whole purpose of ZBFW.
Please rate helpful posts.
Regards,
Julio
11-30-2011 01:26 PM
Hello Stefan,
I do not see why the ZBFW feature cannot be implemented here, in fact as you know ZBFW is really flexible so it will adapt to all your company needs.
Just to let you know if you create 9 different zones, you will need to create a zone pair policy for each different vlan pair that need to comunicate between them.
Please rate helpful posts.
Regards,
Julio
11-30-2011 09:59 PM
Thank You for Your answer, but that makes it even more complicated...
Let me explain why I am hesitating doing this. For example, I have:
interface Gi1/0.101
desc VLAN 1
ip address 1.1.1.1/24
ip access-group in-vlan1-filter in
ip access-group out-vlan1-filter out
int Gi1/0.102
desc VLAN2
ip address 2.2.2.1/24
ip access-group in-vlan2-filter in
ip access-group out-vlan2-filter out
int Gi1/0.103
desc VLAN3
ip address 3.3.3.1/24
ip access-group in-vlan3-filter in
ip access-group out-vlan3-filter out
=> until now, I had the above named ACLs on each vlan-subinterface, for example:
ip access-list extended out-vlan2-filter
permit tcp host 1.1.1.5 host 2.2.2.15 eq 22
permit udp any host 2.2.2.50 eq 4500
permit tcp host 3.3.3.9 host 2.2.2.22 eq 80
etc...
=> which makes 6 different ACLs in the above case. With ZFW, I need a zone-pair "in-out" and "out-in" for each vlan and additional two zone-pairs for the inter-vlan-communicatio, which makes, in this case, 6 additional zone-pairs (zone-pair "vlan1-vlan2"/"vlan1-vlan3"/"vlan2-vlan1"/"vlan2-vlan3"/"vlan3-vlan1"/"vlan3-vlan2"). So, if I have 9 different VLANs (if my calculation is right), I have 45 different zone-pairs just for inter-vlan-communication.
I just want to ask if there is a easier way ;-)
12-01-2011 09:28 AM
Hello Stefan,
That is correct if you have 9 different zones you will need a zone-pair for each vlan communication between different zones, the configuration will be longer but ZBFW it is going to be more flexible and you will have more granularity whit your network enviroment.
Other thing you can do is to place some of the vlans on the same zone so they have communication, Vlans on the same zone can comunicate with each other by default.
So in this case you will definetly need to think about if you are looking something easy to perform or something secure and really flexible.
Hope you have a wonderful day.
Regards,
Julio
12-01-2011 10:02 AM
Hi Julio,
thanks for Your answer, apparently I get it *step by step* ;-)
One last question: what happens if there are only zone-pairs "vlan-in"/"vlan-out" for each vlan and the class-maps in there define the matches out of one "global" ACL for this specific VLAN? From the example above:
interface Gi0/0
desc UPLINK
zone-member security zone_outside
interface VLAN 1
ip address 1.1.1.1/24
zone-member security zone_vlan1
int VLAN2
ip address 2.2.2.1/24
zone-member security zone_vlan2
int VLAN3
ip address 3.3.3.1/24
zone-member security zone_vlan3
class-map type inspect match-any cmap-out_vlan2
match access-group name out-vlan2-filter
policy-map type inspect pmap-out_vlan2
class type inspect cmap-out_vlan2
inspect
zone-pair sec zp-out_vlan2 source zone_outside dest zone_vlan2
ip access-list extended out-vlan2-filter
permit tcp host 1.1.1.5 host 2.2.2.15 eq 22 ! comes from zone_vlan1
permit udp any host 2.2.2.50 eq 4500 ! comes from zone_outside
permit tcp host 3.3.3.9 host 2.2.2.22 eq 80 ! comes from zone_vlan3
etc...
=> so for the other vlans, there are zone pairs "zp-in_vlan1" etc, which allow them to go outside.
Will these requests, for example from vlan1 in direction of vlan2, also arrive, through the way "zone_vlan1 --> zone_outside --> zone_outside --> zone vlan2" ??
Or do I have to create the "inter-vlan-zone-pairs" necessary?
Kind regards,
Stefan
12-01-2011 10:18 AM
Hello Stefan,
My pleasure, you will need the Zone-pairs 100%, without them you are not going to have communication between those vlans, that is the whole purpose of ZBFW.
Please rate helpful posts.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide