- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-28-2013 03:18 PM
Security dictates I have an L2 network that is electrically separate from my production network, i.e a separate set of switches with no connection to production and is used for management of infrastructure devices only. I now am setting up a second data center in another city. I'm fortunate in that my remote data center has been physically located in my local data center and my network stack is complete and tested. Unfortunately, I've existed with this configuration and my management network is all one big happy L2 network. My L2 network is called nmnet (network management network) and contains devices staying locally and devices moving to the remote data center. My problem is twofold:
I have equal firewalls at both sites. I have a firewall in front of my data center, an internal dmz firewall and an external dmz firewall. I call these DC, DMZI and DMZO respectively. Traffic flows "south to north" from my DC to DMZI to DMZO firewalls locally and "north to south" from my DMZO to DMZI to DC firewalls remotely - and vice versa.
Can I create a set of vwires through my firewalls to my DMZO firewalls and use an IPSec tunnel between my two site DMZO firewalls? Here's my scenario:
DC firewalls:
• ethernet1/2=nmnet-vwire, zone=z.nmnet, physical connection=nmnet L2 network
• ethernet1/3= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/2 of dmzi firewall
DMZI firewalls:
• ethernet1/2= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/3 of dc firewall
• ethernet1/3= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/2 of dmzo firewall
DMZO firewalls:
• ethernet1/2= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/3 of dmzi firewall
• ethernet1/3= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/2 of dmzo firewall
• create tunnel.9 assigned to z.nmnet, stpe address 192.168.186.1, mkt address 192.168.196.1
• create ipsec tunnel with ike gateway interface ethernet1/13 and tunnel interface tunnel.9
I know its long, but hopefully somebody will brave through it with an answer.
Thanks,
Bart
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!