cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1555
Views
0
Helpful
2
Replies

Logically Isolate Networks on the Same Physical Hardware

cbuster35
Level 1
Level 1

I have a question around a configuration that I wanted to throw out there and get some feedback on what I should do to satisfy this requirement.

The requirement is to securely isolate traffic between our traditional office network and our R&D network. These networks share the same physical hardware, and consist of multiple class c networks. An internally facing DMZ will be placed between the Office and R&D network to reach shared network services from both sides. We had a breach, where a user introduced a virus in our R&D network that propagated to our office network.

In this scenario the desired result would allow the R&D network to freely communicate with other R&D networks without going through a firewall, and the same goes for the Office network. However, when a device from the R&D Network tries to go to a network belonging to 10.0.1-49.X it is sent to the DMZ first. The DMZ then determines if it will drop or route the traffic based on rules. The same thing goes for office traffic trying to directly reach R&D.

Office Network (10.0.1-49.X)
10.0.10.0 /24 – Accounting
10.0.11.0 /24 – HR
10.0.12.0 /24 – Purchasing
….
10.0.49.0 /24 - IT

R & D Network (10.0.50-99.X)
10.0.50.0 /24 – R&D Lab
10.0.51.0 /24 – R&D Engineering
10.0.52.0 /24 – R&D QA
….
10.0.99.0 /24 – R&D Widgets

DMZ Network

10.0.100.0 /24 – DMZ IP = 10.0.100.254

Hardware

Cisco 6504 - Campus
3750X-48-TL Access Switches
5520 ASA Firewall

I have been thinking of trying VRFs, but not real familiar with it. Something like: vrf for office network; vrf for R&D, and vrf for DMZ. Could someone please provide some examples or propose a better solution to satisfy this requirement?

Thanks

2 Replies 2

Leo Laohoo
Hall of Fame
Hall of Fame

No expert but this sounds like Policy-Based Routing (PBR).

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

VRF can be use to create multiple L3 networks on the same hardware (sort of the L3 version of L2 VLANs).

NB: Actually I had worked at a large enterprise that used VRF for something almost identical, isolation of developer subnets from corporate subnets across a campus (also used VRF for guest Internet too).

We later also found VRF a nice way to merge an acquired company network into our network.  We would run prior company's networks as one VRF and the to-be-migrated-to corporate network as another VRF on same hardware.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco