Hello,
Apologies for the weird title. I am wondering if I could pick the collective brains for a hand with a "Firewall on a stick" slightly fictional solution I am trying to come up with.
Essentially, I have 3 VRF's on a core switch, each representing a different "function" of the business. For simplicity, lets say Accounting, Brian's_Department, Craft_Department (VRF A,B, & C respectively). I want to map each of those VRF's to a zone on a Firewall. If traffic from an accounting Department PC wants to talk to an accounting Dept Server, that traffic happens within the same VRF. (processing happens on the switch)
If an accounting PC wants to look at a Craft_Department server ,then I want that traffic to go up to the firewall, processed by rules there, then come back down (processed on FW)
I want to do it this was as each department has a desire to implement each of their areas with 100 cameras, which must (of course) record in 4k. I don't want the Firewall to have to process/handle camera traffic from one vlan to another when it doesn't necessarily have to.
How do I go about interconnecting the Switch to the Firewall? I have heard of using sub-interfaces with a "transit" vlan for each VRF to the Firewall, where The Vlan has an SVI on both the VRF and the Firewall, which is then placed in a zone on the FW. Much like this; https://packetpushers.net/using-vrfs-to-maintain-security-zones-in-an-layer-3-datacenter-network/
However, i'm worried about this scaling; how would this work if I later wanted to do it as a port channel? Again, how would that work if the core was 2 Nexus switches doing VPC?
Really looking for advice on how this is handled on the real world and what the best way to do this is. If it helps, I'm using a Palo Alto Firewall.
Here's a diagram of what I'm trying to achieve: https://i.imgur.com/mcnOyFN.png Thanks for the read; really appreciate the help
No comments:
Post a Comment