In need of some pre-sales design help for internal network

Dieselboy · February 08, 2021, 07:40:25 PM

Thanks @Otanx I have this concern also. With a HA pair there's no issue deploying a P1 firewall patch during business hours (except in my case, ASA HA is not working at the moment so sessions are being dropped 😅).

I took a look at the reddit link, thanks Wintermute. Sent you a PM. Please could you link me with Fortinet sales?

Dieselboy · March 02, 2021, 03:13:54 AM

Quote from: wintermute000 on February 03, 2021, 03:52:36 AM
final tip, use VRFs to separate DMZ servers and internal servers to different FW zones

Hi,
I can't picture this in my head.

How I have used VRFs in the past is like this example: (VRF-Lite)

[VRF1]
192.168.1.0/24
192.168.2.0/24
0.0.0.0/0 -> 192.168.2.254

[VRF2]
192.168.3.0/24
192.168.4.0/24
0.0.0.0/0 -> 192.168.4.254

The .254 IP is just interfaces on the firewall. So it means I need a layer 3 interface (or sub interfaces) on the firewall. In turn, needing a sub-interface for each VRF with the VLANs trunked.

Is there a better way to do this? Can I use one layer 3 interface on the firewall and route it to the network? (ie a routed port not a trunk port).

wintermute000 · March 02, 2021, 09:35:45 PM

What you're describing is standard.

I mean technically the firewall is not VRF aware so you could stick both VRFs onto the same FW segment (i.e. .1 = VRF1, .2 = VRF2, .3 = FW), however then there exists the possibility of going between the VRFs without being forced through the FW. So everybody just terminates on the FW.

Dieselboy · March 03, 2021, 01:08:49 AM

Thanks. So, just normal trunk the vlans to the firewall then? Each VLAN is a subnet within a VRF. I was trying to think if there was a better way

wintermute000 · March 03, 2021, 04:40:14 AM

Nah, the vrf routes to the firewall via a single transit /30. The point is to keep inter vlan traffic off the firewall and stay on cheap switching.
Now if each vlan terminates it's default GW on the firewall that's valid too but then you don't need layer 3 on the switch at all. Just depends on what you're trying to achieve

Dieselboy · March 03, 2021, 11:49:27 PM

Am I correct - You would need a /30 per-VRF ?

I would prefer layer 3 to the firewall, yes

wintermute000 · March 04, 2021, 01:14:47 AM

If you keep the SVIs on the switch then yes just run a routed /30 up to the FW. The firewall can then inspect everything in / out, however, it wouldn't be in-line for traffic between VLANs in that VRF. BTW I would always use a /29 not a /30 because its much easier to do stuff later (insert other tools inline, double up on something, etc.)

If you don't use SVIs but instead use the FW as your default gateway then you won't need VRFs at all, in fact the switch is just L2, however then you'll need to spec your FW and write rules for everything as anything outside of its own VLAN would need to traverse the FW.

Dieselboy · March 07, 2021, 07:55:38 PM

All makes sense thanks for going over that.