Scenario: Guest network and production network are currently separate. I would like to converge. Separate firewall, separate core, separate access switches.
My idea is to bring the APs to the production network's access switches, and VLAN them into the production network's core. Basically eliminating the need to refresh the guest network access switches and the core.
I want to keep the guest network firewall. My idea is to make the guest network firewall and the production firewall do the layer 3, and adding security policies (they are both palo alto networks firewalls, so the two firewalls would connected via separate virtual router).
Does that seems sound? I feel like it's more secure and a better design that trying to create access lists off the production core and connecting the production core to the guest firewall. Or to move all of the policies from the guest firewall into the production firewall (my biggest concern here is capacity, I don't want to make my production firewall handle all of the inspection of the guest network. I have enough throughput on the production firewall to handle the additional bandwidth from the two firewalls doing the layer 3 between the two networks, but not enough threat protection bandwidth on the production firewall to handle the guest traffic).
Any thoughts or suggestions are appreciated.
No comments:
Post a Comment