0

I'm kind of new to networking. Suppose that all my VLANs have access to the web server and authoritative DNS server but only VLAN 40 has access to the Internet while VLANs 10, 20 and 30 do not have access to the outside Internet. Will this be a good network topology considering redundancy and load balancing (HSRP between the two routers, etc)? Should the DNS server be placed in the internal zone instead of the DMZ zone? Should I place my FW2 elsewhere to protect against internal attack or will this suffice?

Both firewalls are Cisco Firepower 1010. Proposed Network Topology

I came up with another one that may make more sense Second network topology

Improve this question
2
  • 1
    Maybe I’m missing something but what is the use of FW2? If everything is behind FW1 already, what is it’s primary use? Commented Oct 30, 2024 at 8:39
  • 1
    Those diagrams are different topologies. Commented Oct 30, 2024 at 8:54

2 Answers 2

Reset to default
1

Top diagram:

  • FW1 is single point of failure for DMZ, ISP/WAN
  • FW2 doesn't do anything apparently
  • DSW1 is SPoF for S1, S2, S3
  • DSW2 is SPoF for S4
  • S5 is SPof for DMZ

You should have two handover/interconnect ports in those places.

Should I place my FW2 elsewhere to protect against internal attack or will this suffice?

Internal traffic seems to use R1/R2, so any filtering/protection would need to take place there.

Bottom diagram:

  • FW1 is SPoF for ISP/WAN
  • FW2 is SPoF for DMZ
  • R1 is SPoF for ISP/WAN
Improve this answer
1

Both of your diagrams have some good aspects:

  1. Top diagram doesn't let outside [Internet] traffic touch inside network. That's good security.

  2. Bottom diagram shows leaf switches have redundancy to distro/spine.

Regards.

Improve this answer