Cisco Hierarchical Design

m3zilla

I'm starting to get into the architectural side of things, and have been spending some time on the Cisco Design Zone, reading their guides. For the most part, everything makes sense, but I can't help but ask "Where are the firewalls?"

I've read through several guides, and it has your standard access/distribution/core layer interconnecting to your data center block, internet block, etc....but there's no firewall in sight! Where do you guys have your firewalls deployed?

sratakhin

Between the Internet and distribution layer.

m3zilla

How big is your network? Is that your only firewall? We probably have 5 pairs of external facing firewalls, and 15-20 pairs of internal firewalls, separating the various environments.

SteveO86

Once you get closer you'll see the firewall more.

Check out some CCDP material. It's got Firewalls/IDS/IPS in the e-commerce layer, also in the aggregation layer of the datacenter, internet layer and so forth. The design zone should also have a section dedicated to security.

networker050184

m3zilla wrote: »

How big is your network? Is that your only firewall? We probably have 5 pairs of external facing firewalls, and 15-20 pairs of internal firewalls, separating the various environments.

Oh god I absolutely HATE working on these types of networks.

Roguetadhg

15-20 pairs of internal firewalls w/ 5 pairs of external-faring firewalls? Sweet Baby Santos!

Any possible way to get a sanitized diagram of the network?

m3zilla

I'll get something drawn up when I have some time, but we essentially have a pair of firewalls for each environment (QA, Performance Testing, Client Testing, etc) and firewalls for each Business Unit.

SteveO86

I am looking into a design like that for our Dev environments but I am leaning toward a ASA Cluster with security contexts just so I don't have to deal with a dozen pair of ASAs. (that and cost)