01-13-2024 03:13 PM
Hi there,
Your management interface would typically be connected via an edge (access) port on your switch. Assuming your switch is Layer3 capable then you would assign an SVI to this management VLAN. I will assume on your VLAN one must be an 'inside/ trust' type. So on your switch you would configure another SVI, this would allow traffic in the trusted zone to be routed towards your management interface.
The other VLAN, lets guess are something like DMZ and wireless. Both of these will be switched on your switch but not routed. The firewall will be configured with routed sub-interfaces, this way the firewall will be the gateway for those subnets and will be able to control all inter-vlan flows.
I would not worry about additional Virtual Routers at this early stage.
Your security zones will probably have a 1:1 mapping to your VLANs: inside, DMZ, wifi and WAN. The Security policy which you define will secure inter-zone flows, ie traffic moving from one VLAN (zone) to another. Lets say for example wifi can initiate communication with WAN and DMZ but not trust. DMZ can only initiate communication with WAN, but all the other zones can talk to it...etc,
Regarding NAT, I would imagine you would only need to configure translation on your WAN interface with source NAT for all outbound flows. You would also configure static NAT for selected ports towards your DMZ hosts.
Hope that helps.
cheers,
Seb.
