Skip to main content

VLANs, Layer 3 Switch or Firewall ACLs

More
14 years 5 months ago #34970 by LanEvoVI
Hi All,

I'm in need of some opinions on where best to implement security for different vlans. We are moving from a very flat network to a more segmented design. This is what I'm invisioning with my existing equipment:

OPTION 1:
- Access layer containing Cisco 2960G series switches which are configured with the vlans for the workstations.
- The uplink trunks from the 2960Gs will be connected to a Cisco 3560G. The uplink for the 3560G will then be connected to an interface on a Cisco ASA 5520.
- A second interface on the ASA will connect to my servers.
- A third interface on the ASA will connect to the WAN firewall.

ACLs will be implemented on the ASA.

OPTION 2:
- Access layer containing Cisco 2960G series switches which are configured with the vlans for the workstations.
- The uplink trunks from the 2960Gs will be connected to a Cisco 3560G. Uplinks for my servers will also be connected to the 3560G.
- The uplink for the 3560G will connect to the WAN firewall.

ACLs will be implemented on the 3560G.

My goal is to control access to/from vlans based on src/dst ips and src/dst ports (layer 4). I know the ASA is be capable, would the 3560 be capable through extended ACL? The reason i'm even considering the ACL on the 3560 is because of performance to the servers from the workstations. Security is a priority, but I'm not sure that 200+ workstations trunking through a single 1gbps interface to the ASA will be adaqute.

Your thoughts?

Thanks in advance.
More
14 years 5 months ago #34972 by JamieP
couple of questions;
are the 200 workstations just office machines?
are they currently up and running? maybe you could get some traffic statistics for you current config?
what size vlans do you want?
where will most of your traffic go? intervlan? internet?
do you have to consider WAN/VLAN access?
is this including you internet edge, or is that up and running and your happy with it?

if you give provide a kit list that you have avaliable i will knock up a diagram of what i would do.

Jamie Parks
Network Engineer, UK
More
14 years 5 months ago #34982 by S0lo
The ASA 5520 has a maximum throughput of 450 Mbps if you use the AIP SSM-40 (there is also lower rates with SSM-10 and SSM-20).

So assuming the extereme worst case where the 200 PCs are downloading/uploading simultaniuosly, 450Mbps / 200 = 2.25 Mbps = 288 KBps.

288 KBps doesn't sound that bad considering the worst case. I think adding the ASA (option 1) wont be bad.

However, I'm not sure of the exact ACL capabilities of the 3560G. It might be sufficient for your requirements, so I recommend checking that first. If it is, then surly using only the 3560G should release the network from the ASAs latency.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
14 years 5 months ago #34985 by LanEvoVI
Hi JamieP and S0lo,

Thank you for your replies.

JamieP:
Yes they are all office machines. They will mostly be for email (exchange), file server access, updates/patch management and web surfing. About 30 of them will also be doing heavy CAD/GIS.

The machines will very seldomly communicate directly with each other, most communication will be with our servers and the web.

This setup is for internal only, the uplink for the 3560G and/or ASA will be connected our edge firewall. The edge has been working pretty well for us so far.

I'll try to correlate more stats and gauge where we stand.

S0lo:
In an extreme case, that doesnt look too bad. I'm hoping it wont become the norm. haha.

I do like the idea of managing the ACLs from the ASA as I have more experience with it. I haven't tapped into the ACLs for the 3560G before but will do more investigation in this regard.

I know that the ASA is pretty powerful on the reporting side, can the same be said for the 3560G?

Thanks
Time to create page: 0.132 seconds