I have question regarding the best practice design for my firewall and routing design. I need to create 30 new vlans that needs to be filtered in the firewall. So the traffic should pass through the firewall. These 30 new vlans will have their own subnets (/24). My question regarding the design: Should I create the VLAN´s on the router or as sub interfaces on firewall? If I create the new vlans as layer3 on the router the clients will be connected as "directly connected" and that means that the traffic will only go through the router. Can I solve this by doing static IP routes that point to the firewall IP on the router or will that be overruled by the "directly connected" status?
looks like u answered your question...created the subinterfaces on the firewall and they will all be filtered from each other...the pain will be the access lists rules...good luck
Definetly create subinterfaces on the FW. That should be simple and secure. Try and move as much L3 security to the FW. Let the router just route packets Dont burden the poor thing. Also , you said 30 vlans.that would be a lot of traffic then. Make sure you select the right HW (router, switch) etc. The FW 5550 is a good one
Thanks for the reply. So basicly you are telling me that this is best practice: Create 30 vlans/subinterfaces spreaded on two physical interfaces on the ASA with 30 access-groups/lists. Create two trunk interfaces on the router (layer2) and route the specific traffic to the the firewall. Do I need to assigne IP address to router for the specific subnets?
truck is correct, but u will need at least one subnet that is the same on the router and the firewall...this will allow you to route to the other subnets configured on the firewall..
no, just one....one with the highest security level....then on the router, route the other sub interfaces defined on the firewall to the interface connected on the firewall to the router....i know it sounds confusing...
Thx for reply. Can I solve this by creating /30 subnet for routing reason between the router and firewall? But what about if I want to use two physical interfaces with 15 VLANS each. Do I need to create two IP´s on the router?
yeah, u can create a /30....on the second, that is a good question....i havent tried that before but i would think you would route to a particular interface where the sub interfaces are on...so yeah, two IP on the router will have to be configured...this is kind of unique...let me know how it works out...
I thing I can solve this by creating two /30 subnets for each phycial interface.
On the firewall
Interface1: Subinterfaces/VLAN 1 to 15 (All VLANS has there own /24 subnet) - VLAN 31 with /30 subnet with the higest sec level. VLAN 31 is created to communicate with VLAN 1 to 15 from the router
Interface2: Subinterfaces/VLAN 15 to 30 (All VLANS has there own /24 subnet) - VLAN 32 with /30 subnet with the higest sec level. VLAN 32 is created to communicate with VLAN 15 to 30 from the router.
I hope this will work :-)