client and server network segmentation

SOLVED
hmc250000
Getting noticed

client and server network segmentation

What would be the best way to segment clients from servers across several departments (Lan and WAN) globally? What Meraki hardware would be recommended? I would assume traditional firewalls are too slow? 

 

Can Cisco ISE be used along with Meraki switches? Not sure if Cisco ISE can really help with segmenting a LAN/WAN.

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

This depends a bit on the size (that means budget) of your company.

 

The most basic concept is to have two VLANs at each site.  One for servers and one for workstations.

You start by putting all the switch ports into the workstation VLAN, and then as you plug in a server, you move that switch port to the server VLAN.  This "concept" is what the vast majority of companies use.  This doesn't require you to have any network engineers on staff and can be managed by a local IT team.

 

You can step it up using things like 802.1x with RADIUS (such as Cisco ISE) and authenticate devices as they plug in and automatically move them to the correct VLAN.  A small percentage of companies do this.  By this stage, your company probably has IT team members with strong networking skills but maybe not big enough to employ dedicated network engineers yet.

 

You can step it right up and use a switch that supports SGT with Cisco ISE.  This allows Cisco ISE to say what the user can access precisely.  It costs a lot.  Used by only a very, very small percentage of companies.  At this scale, the company is likely to team an internal team of network engineers.

 

 

What kind of kit to consider?  It depends on the bandwidth required between the users and servers.

 

For example, an MX250 security appliance can route around 4Gb/s.  If that is enough, then you could use an MX250 with more basic layer 2 switches.

https://meraki.cisco.com/product-collateral/mx-sizing-guide/?file

 

Otherwise, you are going to need to look at layer 3 switches.  This will depend a lot on your site, but you might look at MS250's and above for the core switches (I also personally like the MS350-24X and MS425-16's) and maybe MS225 switches stacked together for your access switches (this depends hugely on the number of users at each site).

https://meraki.cisco.com/product/switches/stackable-access-switches/ms250-48/ 

https://meraki.cisco.com/product-collateral/ms350-series-datasheet/?file 

https://meraki.cisco.com/product/switches/aggregation-switches/ms425-16/ 

 

https://meraki.cisco.com/product/switches/stackable-access-switches/ms225-48/ 

 

 

You will want to get a Cisco partner engaged in helping with proper equipment selection and network design.

View solution in original post

4 REPLIES 4
KarstenI
Kind of a big deal
Kind of a big deal

The ISE will help that each user/device will get the right classification for the segmentation.

The needed Device depends on the Security you want to have:

  1. For Basic L3 control, a L3 switch could do the job.
  2. For Advanced L3/L4 control I would go for a Firewall like the ASA running on a Firepower platform.
  3. For L7 control we need a NGFW/IPS. For some implementations I place the routing on the MX with Adv. Security License, but only when most of the traffic is going to the cloud anyway.
  4. If there is a very high amount of local User/Server-Traffic I typically use FTD on a Firepower platform as the throughput per $ is better compared to the Meraki MX (even with HA). And there are better ways to integrate it.
BlakeRichardson
Kind of a big deal
Kind of a big deal

We use traditional firewalls for our L3 ACL. We did plan to use a Meraki switch but the limitation on the number of rules wouldn't have worked for us. We run very restrictive and granular access (which is is a good thing) but it means a lot of rules. At that time ( I don't know if its changed) Meraki didn't support using port ranges.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

This depends a bit on the size (that means budget) of your company.

 

The most basic concept is to have two VLANs at each site.  One for servers and one for workstations.

You start by putting all the switch ports into the workstation VLAN, and then as you plug in a server, you move that switch port to the server VLAN.  This "concept" is what the vast majority of companies use.  This doesn't require you to have any network engineers on staff and can be managed by a local IT team.

 

You can step it up using things like 802.1x with RADIUS (such as Cisco ISE) and authenticate devices as they plug in and automatically move them to the correct VLAN.  A small percentage of companies do this.  By this stage, your company probably has IT team members with strong networking skills but maybe not big enough to employ dedicated network engineers yet.

 

You can step it right up and use a switch that supports SGT with Cisco ISE.  This allows Cisco ISE to say what the user can access precisely.  It costs a lot.  Used by only a very, very small percentage of companies.  At this scale, the company is likely to team an internal team of network engineers.

 

 

What kind of kit to consider?  It depends on the bandwidth required between the users and servers.

 

For example, an MX250 security appliance can route around 4Gb/s.  If that is enough, then you could use an MX250 with more basic layer 2 switches.

https://meraki.cisco.com/product-collateral/mx-sizing-guide/?file

 

Otherwise, you are going to need to look at layer 3 switches.  This will depend a lot on your site, but you might look at MS250's and above for the core switches (I also personally like the MS350-24X and MS425-16's) and maybe MS225 switches stacked together for your access switches (this depends hugely on the number of users at each site).

https://meraki.cisco.com/product/switches/stackable-access-switches/ms250-48/ 

https://meraki.cisco.com/product-collateral/ms350-series-datasheet/?file 

https://meraki.cisco.com/product/switches/aggregation-switches/ms425-16/ 

 

https://meraki.cisco.com/product/switches/stackable-access-switches/ms225-48/ 

 

 

You will want to get a Cisco partner engaged in helping with proper equipment selection and network design.

When will these Adaptive policy & SGT features be available on Meraki MX appliances? Better yet is there a Cisco or Meraki adaptive policy & SGT aware application that can be run on virtual machines?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels