- Jun 28, 2011
- 91
- 0
- 18,630
Goal: Securely connect to internet with complete redundancy
Topology: http://s12.postimg.org/7hex5w89p/nettoplogy.png
Available Hardware: TWO (2) CISCO Catalyst 3650, TWO (2) CISCO ASA 5515-X, TWO (2) Internet Routers (managed by ISP)
Setup (my thought process): Other than the internet networks the core switches will contain four (4) separate VLANs. One for the buffer network between the ASA (inside), one for the ASA (outside), and one for each public internet network.
ASA (inside) - VLAN 253 - Network 10.2.253.0/28
ASA (outside) - VLAN 253 - Network 10.2.253.0/28
Internet 1 - VLAN 111 - Network 1.1.1.1/27
Internet 2 - VLAN 222 - Network 2.2.2.2/27
Inside networks - 10.2.64.0/20
To allow redundant interfaces on each switch I had the idea that I could assign 2 ports to each VLAN with an SVI on each switch of .2 and .3 and HSRP virtual IP of .1
Dilemma: How do I make my traffic flow through the correct stages without the SVIs automatically routing around my firewall or prevent someone from purposefully bypassing my firewall?
Other facts: I have heard two very renown multi-CCIE's who have suggested multiple times that it is very possible to do all of this on the same switch securely even though many "security guys" will say it is unsecure. Perhaps my method is impossible though and I need to use routed ports in combination with VLAN access ports instead of just two ports and an SVI (but this seems like it will eat up a ton of ports, however, if this is the only way then I will do it).
These same two guys are also the ones that suggested there be a buffer network on either side of the ASA. I have yet to find the actual reason, but it has been implied more than several times that you they did not want their ASA's directly in other networks. Some clarification on that would be fantastic!
If I should be posting this question somewhere else: PLEASE LET ME KNOW!
Thanks for any and all help!
Topology: http://s12.postimg.org/7hex5w89p/nettoplogy.png
Available Hardware: TWO (2) CISCO Catalyst 3650, TWO (2) CISCO ASA 5515-X, TWO (2) Internet Routers (managed by ISP)
Setup (my thought process): Other than the internet networks the core switches will contain four (4) separate VLANs. One for the buffer network between the ASA (inside), one for the ASA (outside), and one for each public internet network.
ASA (inside) - VLAN 253 - Network 10.2.253.0/28
ASA (outside) - VLAN 253 - Network 10.2.253.0/28
Internet 1 - VLAN 111 - Network 1.1.1.1/27
Internet 2 - VLAN 222 - Network 2.2.2.2/27
Inside networks - 10.2.64.0/20
To allow redundant interfaces on each switch I had the idea that I could assign 2 ports to each VLAN with an SVI on each switch of .2 and .3 and HSRP virtual IP of .1
Dilemma: How do I make my traffic flow through the correct stages without the SVIs automatically routing around my firewall or prevent someone from purposefully bypassing my firewall?
Other facts: I have heard two very renown multi-CCIE's who have suggested multiple times that it is very possible to do all of this on the same switch securely even though many "security guys" will say it is unsecure. Perhaps my method is impossible though and I need to use routed ports in combination with VLAN access ports instead of just two ports and an SVI (but this seems like it will eat up a ton of ports, however, if this is the only way then I will do it).
These same two guys are also the ones that suggested there be a buffer network on either side of the ASA. I have yet to find the actual reason, but it has been implied more than several times that you they did not want their ASA's directly in other networks. Some clarification on that would be fantastic!
If I should be posting this question somewhere else: PLEASE LET ME KNOW!
Thanks for any and all help!
Facebook
Twitter
Instagram