Aruba & ProVision-based
1748252 Members
3923 Online
108760 Solutions
New Discussion юеВ

vlan for firewall

 
Brad_199
Frequent Advisor

vlan for firewall

is it good or even common practice to put the port connecting a core switch and firewall in a separate vlan to all others?
7 REPLIES 7
paulgear
Esteemed Contributor

Re: vlan for firewall

All that depends on your environment and how your firewall & switches are configured.  If you haven't configured ACLs in your core switch, then putting your firewall in a separate VLAN will accomplish nothing.

 

This is really a question about network toplogy design, and for that you should consult someone experienced in network design, and have your requirements/concerns ready as an input to the design process; a security risk assessment would be an important part of this process as well.

Regards,
Paul
Brad_199
Frequent Advisor

Re: vlan for firewall

for what reason would it make a difference if there were ACLs on the core switch?
paulgear
Esteemed Contributor

Re: vlan for firewall

Hi Brad,

Let me try to ask a few more questions to explain it: what would you achieve by putting your firewall in a separate VLAN?  Protecting your firewall from your PCs?  Protecting your PCs/servers from a potentially compromised firewall?  Improved performance?  In all of these scenarios, if your switch just routes packets directly between your PCs/servers and your firewall, it adds nothing to your solution.

To back up a bit and answer your original question: yes, it's common practice to put your Internet connection in a separate VLAN, if you've got an internal firewall (or switch ACL) that is routing between your internal network and your external connection.  If not, it doesn't seem to me that it adds much value.

 

I hope that makes sense.

Regards,
Paul
Brad_199
Frequent Advisor

Re: vlan for firewall

my corporation has the firewall lan interface on the same vlan as servers. I was thinking that perhaps putting the firewall into a different vlan would segment the networks and create separate broadcast domains, perhaps improving performance as you mentioned.

that is the reasoning behind my post. I'm not sure if that design (if it happens to be incorrect of course) changes your suggestions and comments above?
paulgear
Esteemed Contributor

Re: vlan for firewall

Adding a different VLAN will indeed put the firewall in a different broadcast domain. Whether this will make any difference in performance depends on whether you're experiencing any ARP-related performance issues.
Regards,
Paul
Brad_199
Frequent Advisor

Re: vlan for firewall

I appreciate your posts paulgear.

this may be difficult for you to answer without knowing my corporations network but does it sound correct to put the firewall into the same vlan as servers?

I may be repeating myself so I guess I'm just wondering what other people would do in this situation?

would people only put the firewall into a different vlan if there were an internal router etc as you mentioned earlier?
paulgear
Esteemed Contributor

Re: vlan for firewall

When it comes to network design, there aren't a lot of wrong answers.  Putting the servers & firewall in the same VLAN might be fine, or it might be a bad idea - it depends on a lot of other factors.

 

If you want to see what other people have done, google for some network diagrams - there are whole sites dedicated to it.

Regards,
Paul