The current network I work on is a collapsed core, with L2 spanning the campus. We have TRUST security zone vlans terminated on the core, and other security zones (WWW, DMZ, DB etc) terminated on our edge firewall. We are planning out a Campus network refresh with the plan of going L3 down to the Access Layer(https://www.cisco.com/c/dam/en/us/td/i/100001-200000/110001-120000/119001-120000/119801.ps/_jcr_content/renditions/119801.jpg?zoom=2)
The one problem I have, is wrapping my head around security zones, if the only FW we have is at the internet edge (It is a 40Gb Palo 5250). We will have DMZ servers in the Datacenter block. In my mind creating a virtual router that spans the network would be the fix(VR_WWW, VR_DMZ, VR_DB) Then the edge firewall would do the inter VR routing, and we can place security zone policies here.
Also in the same breath I think this is stupid, since lets say you have a WWW server sending traffic from the Data Center block to the firewall on the Internet Block, routed from the VR_WW to the VR_DB and sent back to the Data Center block. Maybe this is the only solution until budgetting is available for a firewall on the Data Center block.
No comments:
Post a Comment