Designing for larger networks
How to approach the design of a network with a firewall and a large L3 switch?
If all inter-VLAN traffic is handled on the core switch, then you'd have a "routing" network between the core and the firewall.
But this would result in all traffic originating from the same zone. So you'd create VLAN sub-interfaces in the routing network, and policy routes on the L3 switch, so that each client network would be routed to the Sonicwall on its own routing VLAN and therefore originate from its own zone.
Can anyone point out any flaws with the above?
The purpose of having individual zones is mainly administrative convenience. Otherwise you would have one source zone with potentially hundreds of rules!
Answers
The Doc is now quite old but I assume that the idea of the firewall sandwich still applies on the higher end models.
https://software.sonicwall.com/Firmware/Documentation/232-003182-00_RevA_SonicOS_6.2.5.1_ReleaseNotes.pdf
one of my client . we are using intervlan routing and ACL for intervlan on the L3 Stacked swiches and For internet accessing, we are using 0.0.0.0/0 to firewall route / Firewall Security rules.
This topology has some of disadvantages and advantages.
Disadvantages: you cannot IPS/GAV/SPYWARE/ CATP scan / block intervlan traffics via firewall.
You cannot assign user based rules or manage traffics.
Advantages: Intervlan traffic will be high performance.
If you have stacked / HSRP - VRRP switches, you will have lower price ownership.
any Firewall based interruptions won't effect internal LAN traffic.
I think clarification of the question needs to be "how large a network"
Is there a requirement need to implement security services within the core for traffic or would this to be used to protect specific services within the network that is not externally exposed.
The customer would like to protect inter-VLAN traffic but he understands that this massively increases the capacity requirements of the firewall platform and the budget for this would probably never be approved. I am only consulting on the edge firewall, the switching is handled by someone else. No doubt, C***o will chip in and say that they can provide some kind of DPI module for the switching, at great expense :)
Customer doesn't really want to use their firewall as internal L3 because of things like roaming profiles.
Even simply enabling policy routing on their existing L3 switching causes all packets to be punted to routing engine card [or something like that, this is not my speciality] which is then pretty quickly overwhelmed.
Why is this? AFAIK the SSO functionality is based on L3 source address, not L2, right? I.e., the firewall asks SSO Agent "who is logged on to IP address 192.168.1.1?" when 192.168.1.1 makes a connection outbound, there is no conversation/knowledge about L2 address, so firewall having an interface in L2 network should not be a requirement.