Transit Vlan to FW question

Speedbird1
Getting noticed

Transit Vlan to FW question

Hi All 

 

Just a question and bit of a dilemma ..

 

Planning on separating SSID's with VLAN tags on Meraki switches and AP's 

 

Corp vlan 

Server Vlan

BYOD vlan

Guest Vlan 

 

Corp and server need to communicate with each other 

90% traffic is cloud based 10% to some local servers

 

BYOD and guest need to be separated

 

Option1 

Place all vlan's on upstream firewalls, Create interfaces, fw rules etc 

 

Option 2 

Place Corp and server vlan's on Core switches with SVI's and transit vlan to FW for internet traffic

Place Guest and BYOD vlan's on upstream firewall

 

Option 3 

Place all vlan's on core switch and do a transit /30 Vlan to FW for internet traffic

 

Firewalls are a fully featured NGFW 

I would like to use some of the features like dns server with filtering, AV scanning of traffic etc.

 

Hope this makes sense, just wanted too see what you guys thought or if there are other options.

 

Thanks  

 

 

 

 

 

 

 

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

Hi, 

 

In my opinion Option 3 is the best 😄

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KarstenI
Kind of a big deal
Kind of a big deal

I would not use Option 3. Separating the traffic with Switch ACLs could be a pain. And Switch ACLs are not stateful which means you have to control both directions from client and from server.

 

I typically use Option 2. All VLANs that need complete communication are on the L3 switch, all VLANs that need a strict separation are on the Firewall. But with this you have the overhead to manage some VLANs on the switch and some VLANs on the Firewall.

 

In your environment I would probably use option 1. With 90% cloud traffic the firewall-throughput is likely high enough to handle the corp to server traffic and you have full control and only one place to configure the rules.

Well, In option 3 you can have all SVIs on switch core and at de same time control all traffic on Firewall. In my opinion, firewalls don't have to route internal VLANs when we are talking about design.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

If the SVI is on the Switch, then the Firewall doesn't have any control over the inter-VLAN traffic. And at least the Guest traffic has to be separated from the rest of the network.

Yes, but you can set the firewall as a gateway for guest VLANs, there are many possibilities. You can use VRFs on switch core for example. 🙂

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

That is basically Option 2. And sadly, Meraki Switches do not have VRFs.

Yes, but he didn't say the switch model, just he needs to isolate inter-Vlan communication. I know that Meraki Switches do not have VRFs.
But to diced what is the best scenario, we need to know the topology, don't you think?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

The switch core in that case.😅

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
DarrenOC
Kind of a big deal
Kind of a big deal

I'm with @KarstenI and would go with Option 1.  Keep the L3 interfaces on your firewall unless your network is going to expand and you introduce more Vlans and L3 interfaces and require inter vlan routing.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Speedbird1
Getting noticed

Hi All thanks for all the replies and interesting thoughts/comments

 

For some extra info (didnt have time to draw it out but topology is bascially)

 

MR56 Access points >>> 6 X Stacked MS225  >>(2 x10g aggregate) >> Stacked MS425-16 (core switch) >> (2 x 10g Aggregate) >> Fortigate F series FW >>> Internet

 

 

I have always gone with option 1 where there are no internal services, and i am thinking option1/2 for this one. however this one is the biggest site.

 

All devices will hang off the MS225's  

There will be internal video/audio streaming the rest of the traffic is cloud apps.

 

Once decided the Vlans wont increase so max < 8 Vlans

 

My ideal would be to keep the corporate and servers/video internal and everything else on the firewall. 

Its just whether i want to have the extra overhead in  admin for option 2.

 

Think i might have answered my own question ...

 

 

 

Get notified when there are additional replies to this discussion.