Network Segmentation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Network Segmentation

L1 Bithead

Hi,

 

I'm working to redifine the global architecture. Currently, we have a cluster of 2 Watchguard but we will migrate to Palo Alto (PA-850). Currently, all vlan are configured on Watchguard but I'm not sure that is the best approach. On my LAB, based on GNS3 emulator, I configured a Palo Alto connected to our core switch (Cisco C3850-12s). At short time, the PA-850 will have only 1Gb interface (no 10gb). On my lab, I simulate this network segmentation :

 

- Eth1/1 (Untrust zone) to connect our Internet access

- Eth1/3 (Trust zone) for all vlan configured on core switches (user vlan, toip vlan, printers vlan, visioconferencing vlan...)

- Eth1/4 with several subinterfaces :

        1/4.2 : Network for network admin interfaces (Net_Admin zone)

         1/4.10 : Network for DSI server including SI application (Confluence, Jira,..) and IT infrastructure such as AD, SCCM, antivirus console,.. (DSI_Infra zone)

         1/4.20 : Network used to connected for DSI admin users laptop's (Dsi_Users zone )

         1/4.32 : Network for Wifi Guest (Guest zone)

         1/4.60 : Network for projects/dev servers without security constraint (Mutproj zone)

          1/4.96, 1/4.97,... : Network used for project with security aspects (Secure zone)

 

I need to work on the best segmentation for our network where standard user have no full access on all servers or zone but easly to administrate. What is your opinion about this segmentation ? And regarding performance, is there a risk of issue because lot of trafic will pass through PA-850 (users in trust zone to servers in DSI_Server zone, server in mutproj to dsi_server zone to communicate with AD, sccm..) ? At short time, I'm not able to use 10gb interface so I plan to create an aggregate of Eth1/4 and Eth1/5 to improve bandwidth and performance (I can't emulate it on my lab based on gns3)

 

What is your opinion ? And if you have a better approach, don't hesitate to share it..

 

BR



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
0 REPLIES 0
  • 1538 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!