Jump to content


Firewalls, IDP, VLANs and VPN! Oh My!

network layout

  • Please log in to reply
1 reply to this topic

#1 c.grz



  • Joined: 22-September 04
  • Location: Chicago, Illinois
  • OS: Windows 8.1U1 Professional
  • Phone: Nokia Lumia 925

Posted 12 April 2013 - 16:30

I've been tasked with cleaning up the network layout and I've been at this for way too long.

I'm trying to simplify the network as much as possible so the day I'm gone the next guy isn't spending three months trying to figure out the mess the previous guy made like I've been doing!

We have three networks that due to PCI need to be seperated via a firewall.

We'll call those three networks Office, Production and DMZ.

Office has the bulk of the devices (Two 4506's trunked using 3 port-channels with each other)

Production has all the devices with sensative data.

DMZ has our internet facing devices.

I've configured the IDP to be transparent; each network passes through it.

The VPN device hangs off to the side bypassing the IDP.

And the webfilter also hangs off to the side just filtering web traffic via proxy settings in browser.

We've also got a direct circuit to our sister company which was initially setup as a VLAN on one of the switches which I've moved to the firewall.

I'm looking for some critiques, opinions or recommendations.

Attached Images

  • NETWORK_2.jpg

#2 sc302


    Neowinian Senior

  • Tech Issues Solved: 57
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 12 April 2013 - 16:43

In my office, we have done similar.

We have a production network that is vlan'd out and has the routes disabled to be able to communicate to any of the other vlans. No vlans can communicate to that either, dhcp is handled by a local server or the switch itself.

We have an office network for office computers, they have access to the network

We have a dmz for internet facing servers.

If we need something off the production networks or on the production networks it must come via usb stick. We have very sensitive data that cannot be intermingled with office data.