c.grz Posted April 12, 2013 Share Posted April 12, 2013 I've been tasked with cleaning up the network layout and I've been at this for way too long. I'm trying to simplify the network as much as possible so the day I'm gone the next guy isn't spending three months trying to figure out the mess the previous guy made like I've been doing! We have three networks that due to PCI need to be seperated via a firewall. We'll call those three networks Office, Production and DMZ. Office has the bulk of the devices (Two 4506's trunked using 3 port-channels with each other) Production has all the devices with sensative data. DMZ has our internet facing devices. I've configured the IDP to be transparent; each network passes through it. The VPN device hangs off to the side bypassing the IDP. And the webfilter also hangs off to the side just filtering web traffic via proxy settings in browser. We've also got a direct circuit to our sister company which was initially setup as a VLAN on one of the switches which I've moved to the firewall. I'm looking for some critiques, opinions or recommendations. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted April 12, 2013 Veteran Share Posted April 12, 2013 In my office, we have done similar. We have a production network that is vlan'd out and has the routes disabled to be able to communicate to any of the other vlans. No vlans can communicate to that either, dhcp is handled by a local server or the switch itself. We have an office network for office computers, they have access to the network We have a dmz for internet facing servers. If we need something off the production networks or on the production networks it must come via usb stick. We have very sensitive data that cannot be intermingled with office data. Link to comment Share on other sites More sharing options...
Recommended Posts