Network Design Question

<<<External Firewall/Router>>>{Switch}[ "Core" Firewall]{Switch}<<<Internal Firewall>>>

In a typical DMZ design where there are (at least) 3 firewalls (external, core, internal) when traffic hits the "DMZ" ports of the external firewall (and has to travel to internal resources) is it typical to vlan tag the traffic at the enternal firewall and then pass that traffic (in the same vlan) all the way to the internal resources or is it likely that the traffic will be tagged twice (once at the external firewall and then again once it is passed to the internal firewall?

Note, this will be a vDMZ and the internal firewall will do ROAS for the internal traffic (LAN) and the internal dmz traffic (on different interfaces).

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

shednik

I'm not sure I totally understand what you're asking but I'll try anyway

Each time a packet hits a trunk link it will need to be tagged, it will have it's tag stripped off when it hits an access port or when it hits the next firewall. It will be re-tagged when it hits a trunk link again and the cycle would continue.

Not sure if that's what you are looking for or not.

joe

Bl8ckr0uter

Not quite joe but thanks for the reply. Let me put it this way. For the purposes of simplification lets say we have this.

<<<External Firewall/Router>>>[ "Core" Firewall]<<<Internal Firewall>>>

This is not my configuration but this is what I am thinking.

Lets name our routers: Ted (external)
Ted has 3 ports, inside, outside and a dmz port. Lets say all of our regular internet traffic flows from inside to outside and anything to or from our internet facing boxes goes to or comes from the dmz port. Ted has 3 vlans: 10 for inside, 20 for outside, and 30 for DMZ.

This would be all external addresses.

Our core firewall name is named Sally.
Sally has 6 ports. She has the same vlan assignments as Ted but in addition she also has her own vlan assignment for an additional DMZ vlan. She has this because she wants to keep the from in DMZ web servers and the backend servers split (as well as a few other reasons which I won't go into). So on Sally she has vlan assignments: 10 for inside (which actually goes to the LAN), 20 for outside (which is mostly use bad machines that are only allowed to get to the internet and cannot get on any lan resource), 30 for the "outside" dmz and 40 for the "inside" dmz servers (not accessable from the outside world directly).

All ip address would be external minus the "inside" dmz server port, which would be the default gateway for the network.

Our internal firewall is named Billie.
Billie provides routing servers for all internal devices on all resources. Billie has a dedicated vlan port for the "outside" and "inside" dmzs and does ROAS for all other ports. It also has a trunk port to the core firewall so it can get to the outside. The vlan configuration would be the same as the core server. It would server as the default gateway for all vlans minus the inside dmz server and outside dmz server.

Basically this is literally what I was thinking but I think I would be over complicating things. What I wanted to do was give as much seperation as possible but I could probably do the same thing with just a bunch of ACLS and such. I only had one hour of sleep last night lol

shednik

So I started to draw this out and when I got to the internal firewall it stopped making any sense to me unless you are naming vlans the same thing. I would post a drawing because the way you explained it ended up confusing me more then anything.

Bl8ckr0uter

shednik wrote: »

So I started to draw this out and when I got to the internal firewall it stopped making any sense to me unless you are naming vlans the same thing. I would post a drawing because the way you explained it ended up confusing me more then anything.

I will put it up in when I get a chance but if you got to the internal firewall then you got past the real confusing part IMO

Like basically think there is a "web server" (external dmz) and then a "web services" (internal dmz). Those two boxes need to be isolated and only very little traffic needs to go between the two of them. The external dmz security would be pretty soft as far as traffic coming in and coming out (from the internet) but the traffic going to the internal devices would be very specific and controlled. It would be very locked down since the internal dmz would also have to access some resources on the lan.

(Internet)

DMZ - External
Webserver

DMZ - Internal
Webservices

LAN
Backend Databases

So nothing from the external dmz should ever touch the lan (and likewise nothing from the lan should touch the external dmz server). I guess you could say they are just VLANS but I use the term DMZ because the internal servers will also be very isolated from the lan (and only allowed to touch a few boxes).