dslreports logo

Expand Open navigator
Example 1:
Router running VRF-aware Zone-Based Firewall

Network Setup

When The Network Design Fits

Scenario 1
There are multiple tenants within the same building that share the same switch, same router, and same Internet line. From each tenant's perspective, there is a dedicated Internet connection and dedicated network only for them. This means that they cannot see other tenant's network, even though all tenants share the same equipments and the same Internet line.

Scenario 2
There is single tenant within the same building. The tenant has multiple networks; which are Public, Private, DMZ, and Lab. Due to security policy, there must be total separation between all networks. From each network's perspective, there is a dedicated Internet connection and dedicated network only for them. This means that each network cannot see or talk to others, even though all networks share the same equipments and the same Internet line.

Note that there might be other scenarios that the network design fits. However the previous two scenarios should be sufficient for illustration sake.

Objectives
* To have multiple networks on all equipments (in this case, the switch and the router)
* Each network cannot see other networks
* All networks share the same Internet line
* There must be decent firewall implemented on the router for security

Solution
Deploy VRF-aware CBAC or Zone-Based Firewall

Implementation
* Trunk the router and the switch
* Create VLAN on the switch
* Create sub-interfaces on the router
* Assign IP address on each sub-interface
* Each sub-interface IP address will be default gateway of each respective VLAN
* Assign each network its own VLAN
* Assign each VLAN its own VRF label
* Implement the VRF-aware CBAC or Zone-Based Firewall as indicated above

Sample Configuration

Cisco IOS VRF-aware Zone-Based Firewall



Switch



Discussions and More Sample Configurations

Cisco IOS Firewall Classic and Zone-Based Virtual Firewall Application Configuration Example

Example 2:
Router, ASA, and Switch with VRF, Multiple Context, and Trunking

Let's say there is a T1/E1 circuit you need to dedicate only for Production network and there is a separate DSL/Cable/Wireless connection only for Internet access. Typically the T1/E1 circuit is used only for server connectivity and internal usage and the DSL/Cable/Wireless is for vendor or business partner that need access to Internet only without the need of accessing Production network. Following is the network design.

Objectives
* To have multiple networks on all equipments (in this case; the switch, the ASA, and the router)
* There are three networks in place which are Production, Internet Only, and admin
* The Production network is for server connectivity and internal usage
* The Internet-Only network is for vendor or business partner that need access to Internet only without the need of accessing Production network
* The admin network is for general network administration purpose
* Each network (Production, Internet Only, and admin) cannot see other networks
* All networks share the same equipment
* Production network only uses T1/E1 and can never use the DSL/Cable/Wireless at anytime
* Internet-Only network only uses DSL/Cable/Wireless and can never use the T1/E1 at anytime
* Admin network does not need Internet access and is just for general network administration
* There must be dedicated firewall implemented for each network as security measure

Solution
Deploy VRF, Multiple Context, and Trunking

Implementation
* Trunk router FastEthernet0/0 port and ASA Outside port
* Create three VLAN within the trunk as Outside networks where 1st VLAN is for Production, 2nd VLAN is for Internet Only, and 3rd VLAN is for admin
* Connect T1/E1 to router Serial0/0 port and connect DSL/Cable/Wireless to router FastEthernet0/1 port
* Trunk ASA Inside port and Switch
* Create three VLAN within the trunk as Inside networks where 1st VLAN is for Production, 2nd VLAN is for Internet Only, and 3rd VLAN is for admin
* Set some switch ports for Production network, some switch ports for Internet Only, and some switch ports for admin
* Setup Multiple Context on the ASA consists of Production Context, InternetOnly Context, and admin Context
* Each context will be dedicated firewall for each network; i.e. Production Context is dedicated (virtual) firewall for Production network
* Set Outside and Inside network for Production Context, InternetOnly Context, and admin Context
* The ASA Production Context does NAT/PAT where the router does NAT/PAT for InternetOnly Context
* No NAT/PAT necessary for admin Context

Sample Configuration

Router



System Context



Admin Context



Production Context



InternetOnly Context



Switch



Expand got feedback?

by aryoba See Profile
last modified: 2015-08-18 09:50:31