Attached I have a high level overview visio of what I'm trying to accomplish. Basically, I need to setup VLANs for both company and public traffic at remote sites seperated by PTP T1's. Company VLANs need to access other Company VLANs and the Internet, and Public VLANs only need to access the internet out the CheckPoint firewall.
I'm assuming that ACL's would be needed to control what VLANs can see other VLANs, along with a routing protocol like EIGRP...but my main concern is ACL hell because I will be dealing with a lot of remote sites and a lot of company VLAN subnets.
Also, my boss is worried about security in regards to the public network and he doesn't think that you can easily prevent the public network from accessing all the other company networks and still letting them get to the internet without extending the VLANs accross the T1's and all the way up to the CheckPoint Firewall.
Any help and suggestions would be greatly appreciated.
I would suggest taking another look at your subnetting scheme. Instead of using 192.168.x.x for both the public and corporate networks, why not 192.168.x.x for the public networks and 10.x.x.x or 172.16.x.x for the corporate, or vice versa. It would make the creating/administration of ACLs and access policies a lot simpler.
So essentially I could have one ACL that encompasses the entire public network like 10.0.0.0 0.255.255.255 on each router and do the same for the corporate network to minimize the configurations needed.
If I create ACLs denying anything with a source of the public network and destination of the corporate network, then allow all other traffic it should be sufficient correct? Also, I only need to put these ACLs on the interfaces closest to the source right? Not on every router on the network.
Yes, that is the general idea and yes you need to put the ACLs on the interfaces at the source and probably at key points on the network as a safeguard. You may need to consider how DNS and DHCP services will work also, and may want to consider only allowing http traffic on the public segments.
I have to add that your boss' concerns about security are not unfounded. This could work if properly administered, however it is not an optimum design. A missed ACL would indeed expose the network.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...