Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Design Question

Hello,

I'm not certain if I'm posting this question in the correct forum but I'm sure many of you will have some very valuable input.

I'm designing a network setup and have two options for configuring the outside switches and cisco ASAs.

Option 1, the outside switch stack has 3 VLANs, one for each remote network connection and an 802.1Q trunked connection to each of the Cisco ASAs. Each remote network connection can only communicate with networks defined on the Cisco ASA access control lists. This design allows future remote network connections to be added by creating a new VLAN defined on the outside switch stack and a new sub interface defined on the Cisco ASAs.

The Cisco ASAs have three sub interfaces, one for each remote connection on the outside switch stack, on the first physical interface and the remaining four physical interfaces are used for the Switching subnet, redundant failover connections and the management interface.

Option 2, the outside switch stack has 4 VLANs, one for each remote network connection and one for the connection to the Cisco ASAs. Each remote network connection can only communicate with networks defined on the switch using the Layer 3 routing features and access control lists. This design allows future remote network connections to be added by creating a new VLAN defined on the outside switch stack.

Cheers,

David.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Design Question

David

Thanks for clarifying.

So i'm assuming all the connections present as ethernet ?

If so then i can't see what you gain by having a 4th connection unless you want to mamage the ASA remotely and do not want to use the failover internet connection.

Other options -

1) use active/active on your ASA firewalls and run contexts but as they each need to get to a shared DMZ, which it sounds like they do, then i'm not sure what you gain by this. You would end up with a shared outside interface and a shared DMZ interface so there seems little benefit.

2) route off the switch stack and run vrf-lite which would ensure complete segregation of traffic but again you would still need to define subinterfaces on the outside interface of the ASA so you are really just adding a layer of complexity you don't need.

So i would simply go with the 3 vlan option although obviously there is a limit to which this can scale depending on how much bandwidth the incoming lines amount to.

Jon

4 REPLIES
Hall of Fame Super Blue

Re: Design Question

David

It's not clear exactly what you are trying to do. Generally speaking you only have one vlan to the outside interface of the ASA and then if you need to segregate the traffic you would have separate DMZ's for each network. You generally don't have a separate vlan per network on the outside interface of the ASA.

Perhaps you could provide some more details as to what you are trying to achieve ?

Jon

New Member

Re: Design Question

Hi Jon,

Thanks for the reply, sorry for the lack of detail.

Basically, we will have three external connections coming in to our network and none of them should be allow to route to each other but each of the connections will need to connect to some system on the DMZ network. One connection would be to a customer, one connection would be a failover internet line and the other connection would be a point to point connection to our other site.

In terms of equipment we have 4 stackable switches (1 pair for inside switches and 1 pair for outside switches), and 2 ASA 5520s. We will be introducing some Big IP GTM at some point in the future.

We are looking for the best way to set this up and would like advice from knowledgeable people like yourself.

Many thanks,

David.

Hall of Fame Super Blue

Re: Design Question

David

Thanks for clarifying.

So i'm assuming all the connections present as ethernet ?

If so then i can't see what you gain by having a 4th connection unless you want to mamage the ASA remotely and do not want to use the failover internet connection.

Other options -

1) use active/active on your ASA firewalls and run contexts but as they each need to get to a shared DMZ, which it sounds like they do, then i'm not sure what you gain by this. You would end up with a shared outside interface and a shared DMZ interface so there seems little benefit.

2) route off the switch stack and run vrf-lite which would ensure complete segregation of traffic but again you would still need to define subinterfaces on the outside interface of the ASA so you are really just adding a layer of complexity you don't need.

So i would simply go with the 3 vlan option although obviously there is a limit to which this can scale depending on how much bandwidth the incoming lines amount to.

Jon

New Member

Re: Design Question

Thanks for your advice Jon, that has really helped.

David.

219
Views
0
Helpful
4
Replies
CreatePlease to create content