Hi All
Just a question and bit of a dilemma ..
Planning on separating SSID's with VLAN tags on Meraki switches and AP's
Corp vlan
Server Vlan
BYOD vlan
Guest Vlan
Corp and server need to communicate with each other
90% traffic is cloud based 10% to some local servers
BYOD and guest need to be separated
Option1
Place all vlan's on upstream firewalls, Create interfaces, fw rules etc
Option 2
Place Corp and server vlan's on Core switches with SVI's and transit vlan to FW for internet traffic
Place Guest and BYOD vlan's on upstream firewall
Option 3
Place all vlan's on core switch and do a transit /30 Vlan to FW for internet traffic
Firewalls are a fully featured NGFW
I would like to use some of the features like dns server with filtering, AV scanning of traffic etc.
Hope this makes sense, just wanted too see what you guys thought or if there are other options.
Thanks
Hi,
In my opinion Option 3 is the best 😄
I would not use Option 3. Separating the traffic with Switch ACLs could be a pain. And Switch ACLs are not stateful which means you have to control both directions from client and from server.
I typically use Option 2. All VLANs that need complete communication are on the L3 switch, all VLANs that need a strict separation are on the Firewall. But with this you have the overhead to manage some VLANs on the switch and some VLANs on the Firewall.
In your environment I would probably use option 1. With 90% cloud traffic the firewall-throughput is likely high enough to handle the corp to server traffic and you have full control and only one place to configure the rules.
Well, In option 3 you can have all SVIs on switch core and at de same time control all traffic on Firewall. In my opinion, firewalls don't have to route internal VLANs when we are talking about design.
If the SVI is on the Switch, then the Firewall doesn't have any control over the inter-VLAN traffic. And at least the Guest traffic has to be separated from the rest of the network.
Yes, but you can set the firewall as a gateway for guest VLANs, there are many possibilities. You can use VRFs on switch core for example. 🙂
That is basically Option 2. And sadly, Meraki Switches do not have VRFs.
Yes, but he didn't say the switch model, just he needs to isolate inter-Vlan communication. I know that Meraki Switches do not have VRFs.
But to diced what is the best scenario, we need to know the topology, don't you think?
The switch core in that case.😅
I'm with @KarstenI and would go with Option 1. Keep the L3 interfaces on your firewall unless your network is going to expand and you introduce more Vlans and L3 interfaces and require inter vlan routing.
Hi All thanks for all the replies and interesting thoughts/comments
For some extra info (didnt have time to draw it out but topology is bascially)
MR56 Access points >>> 6 X Stacked MS225 >>(2 x10g aggregate) >> Stacked MS425-16 (core switch) >> (2 x 10g Aggregate) >> Fortigate F series FW >>> Internet
I have always gone with option 1 where there are no internal services, and i am thinking option1/2 for this one. however this one is the biggest site.
All devices will hang off the MS225's
There will be internal video/audio streaming the rest of the traffic is cloud apps.
Once decided the Vlans wont increase so max < 8 Vlans
My ideal would be to keep the corporate and servers/video internal and everything else on the firewall.
Its just whether i want to have the extra overhead in admin for option 2.
Think i might have answered my own question ...