I am in the process of configuring a new network as I have 2 new switches that I can configure leaving the existing network as is for now. I am struggling to formulate where to place the necessary ACLs to restrict access based. I have some basic L3 switches, but can apply ingress and egress ACLs to ports and/or VLANs, I assume VLANs is the best choice.
Given the following VLANS;
Management : VLAN 1 : 192.168.1.0/24 (This will likely change to another VLAN but for the sake of this demo it's VLAN 1)
Production : VLAN20 - 192.168.20.0/24 (ESXi/DB servers/Windows AD/Puppet/General)
App : VLAN30 - 192.168.30.0/24 (Web Servers)
DMZ : VLAN40 - 192.168.40.0/24 (HA Proxy pair)
VLAN 20 can access everything.
VLAN 30 needs to access specific ports on VLAN 20 (DB, puppet and proxy to internet)
VLAN 40 needs to access specific ports on VLAN 40 (puppet) VLAN 30 (http/https) and needs to expose http/https to internet via gateway (192.168.1.254)
I'm guessing it would be best to block EGRESS on VLAN 30 and VLAN 40 and then add specific rules in to allow the http/https/db/dns/puppet to the other VLANS? What I am struggling with is the rules to allow VLAN 40 http/https direct to the gateway, would that be an INGRESS ACL as well as an EGRESS or JUST EGRESS?
Also, does the logical separation look acceptable or could be improved?
Thanks
No comments:
Post a Comment