I'm sorry to ask this question again but I need to clarify.
I have the task of specing a Firewall that will perform Inter-VLAN routing. Our customer has a core switch that will only do Layer 2. It will however perform VLAN tagging, and you can create a 802.1q trunk. I need to separate the network into 3 VLANs. I have phoned Watchguard UK up and have found out that the Watchguard cannot do Inter-VLAN routing. My question is can the PIX do Inter-VLAN routing?
If so, I'd plan to spec a PIX with 5 gigabit Physical interfaces (1 Outside to the Router, and 31 for each of the VLANs with some expandability), each interface would be assigned its own VLAN ID and would trunk to the Switch. Each VLAN would be a separate individual logical network - would this work ok? I assume I'd need access-groups would be required to allow traffic from one VLAN to another? Is this correct/ok?
Yes, all the 5xx series models except the 501 and 510 will do Inter-VLAN firewalling
If so then you probably do not really want a PIX.
The top end PIX, the 535 model, is spec'd as supporting up to 9 gigabit interfaces, but if you look further you will find that it is handled as four PCI/66 (64 bit) slots and five PCI/33 (32 bit) slots. You will not be able to actually get gigabit on a PCI 32@33 slot, even if you have no bus contention. Considering the age of the design of the 535, one should probably not expect more than about 300 megabits/s for a PCI/33 slot [circa 2003 rates.] I see that the internal design of the 535 must have been updated, as the original spec had only 1 PCI/66 (64 bit) + 2 PCI/33 (32 bit), but the cleartext throughput limit has remained the same (1.7 gigabits/s), so I doubt there has been a complete internal revamp. And one must ask how many distinct PCI busses are involved, not just how many slots are involved, since bus contention could be a major problem.
The FWSM blade for the 6500/7200 is rated as noticably faster (about 5 gigabits/s if I recall properly), but it is also about $US40,000 for the blade alone without even the 6500 to go with it.
The new Cisco ASA 5500 series tops out at 650 megabits/s throughput, so unless for you "gigabit" is just short for "more than 100 megabits/s" then the ASA 5500 wouldn't be suitable.
Yes for traffic going to a "higher security level".
I deduce that this is not a Very High Security situation: if it were then a) there would already be a firewall in place; and b) you wouldn't be allowing the 3 VLANs onto the same switch, just in case someone figured out how to VLAN-hop.
That being the case, and lacking hard performance requirements, it would appear to make more sense to just use -two- gigabit interfaces, one to outside and the other one an 802.1Q trunk between the PIX and the switch. The PIX can firewall between multiple 802.1Q VLANs on the -same- physical interface. Depending on your real performance requirements, this might drop you down as far as a PIX 515E; we have 2 gigabit interfaces on our PIX 525 (but we aren't even close to pushing the throughput limits on it.)
If you were going to use distinct physical interfaces, you wouldn't need your firewall to handle 802.1Q at all: just make port 1 on the switch an untagged member of the first VLAN, port 2 an untagged member of the second VLAN, port 3 an untagged member of the third VLAN; then your firewall just runs normally as if the VLANs weren't present, sending the output packets to the appropriate firewall interface for transmission to the switch, which will add on the appropriate new 802.1Q tag associated with the ingress port, and off you go.
The Fortigate 3600 would probably work for you, unless you plan to actually saturate your network with 5 Gigabits of data. It's a 4Gbps firewall but it has 5 Gig interfaces. So unless all 5 interfaces were firing at full speed you should be ok. And I think that the price, in this space, will surprise you by how reasonable it is.
You should talk to a good reseller or contact Fortinet directly with the exact details of your implementation but I don't think that inter-VLAN routing is a problem. The VLANs are assigned to different networks and then policies and the routing table control the traffic between them, just like any other traffic going through the box.
Guys - thanks for all your elp on this. Well in my research I found that the Watchguard Firewalls don't support VLANs at all - just for FYI. What I think I'm going to do is install a 3750 L3 Switch - apparently you can apply VACLs with it - which was news to me seen as I thought only Switches above 6000 series support VACLs. This will be intresting as I've never configured VACLs on IOS based switches before and can only find CatOS config examples on the net.
The 3750 is a nice device for what it can do, but it is limited in its firewalling capacities.
If you look at the Feature Navigator, you will see that the 3550/3750 are not listed as supporting VACL -- because it does not support the "VACL" feature as described in
formatting link
The 3550/3750 supports extended IP ACLs applied to VLANs, and supports route-map, and it supports MAC level ACLs applied in -some- contexts, and it supports port maps that restrict which ports can talk directly to which other ports -- but it does not support creating a "vlan access-map", which is similar to a route-map but can "match" "address" against IP, IPX, or MAC ACLs all in the same map. [I'd have to double-check that the 3550 supports all of these features; it cannot do quite everything that the 3750 can do.]
The 3550/3750 does not support reflexive ACLs, and does not support ip inspection, and does not support any kind of stateful traffic control.
The 3550/3750 only supports static access controls. That is good enough for some kinds of security, but it is not a firewall.
If you need routing between VLANs plus static controls, then any of Cisco's routers from about the 1700 series upwards can do that, and with the Firewall Feature Set or Advanced Security they could do meaningful firewalling as well.
Unfortunately, to get 5 x gigabit interfaces you would, as best I recall at the moment, need to go for at least a 4500 "switch" (which is really a router when you put in any of the Supervisors available for it.) {Just maybe you'd be able to get 5 x gig in a 4000 "switch"... but not with anything approaching gigabit throughput.} If I recall correctly, the 4000/4500 does not support firewall features, which would drive you into the 5000 series... but those are end of sale, so the choice would be the 6500/7200 or perhaps some newer product that hasn't come to my attention yet. The ASA5500 series does firewalling and can have 4 gigabit interfaces, but the max throughput on the ASA5500 is 650 Mbps.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.