I have been tasked with creating a DMZ from scratch. I am a bit of a network newb, so please forgive my ignorance. I am to connect two Cisco 4948E-F switches to two CheckPoint firewalls. I will be using two 10g uplink ports from each switch to cross connect to each FW – though they will only be 1g as the FW’s don’t have 10g ports. I will create a dot1q trunk for each connection going from the switches to the FW’s. I will also create a port-channel between the two switches. 3 VRF’s will be created – web, app and db. 3 SVI’s will be created for each VRF. My questions are:
1. I planned on creating sub-interfaces for each VRF, but it doesn’t appear that the 4948E-F supports sub-interfaces. How do I direct traffic coming from the FW through the trunk to a particular VRF?
2. How do I get the traffic from one VRF to pass through the FW to travel back down to the other VRF’s? I would think the routing would all happen within the switch since all SVI’s live on those switches.
These are my initial questions and I’m hoping this starts a thread that I can continue to use and ask questions.
Thanks in advance to all you senior network engineers in helping me keep my job.
Thank you, Giuseppe! That is excellent information. Your post now brings up additional questions - which is exactly what I was hoping for....
So, I should have mentioned the FW's are in an Active/Active configuration. I think I would want to cross connect the switches to the FW's for redundancy/high-availability. I did plan on creating an ether-channel between the switches, but this is where my question lies. Since this is my DMZ wouldn't I need the routed traffic to pass through the FW, so I can configure the appropriate access-list rules to prohibit cross VLAN communications? This is not a very complex network, so there is no routing protocols on the FW's. All routes are static and there is probably less than 12 total.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...