This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Neville_Kuo
Advisor
‎2018-10-08 07:16 AM

架構問題討論

假設有一光電客戶架構如下:

好啦我知道我手繪很醜,重點:

1.此需求是因為台積電先前產線電腦中毒事件而生,所以希望杜絕縱向橫向感染擴散

2.整個FAB機房都不能上網,FAB PC超過200台,都在同一個vlan,但它們其實不用互通

3.圖上的FAB switch彼此串接,紅字A和S是Spanning tree的兩條路,平常只有A有通

4.所有的FAB Switch都是Cisco 2960

5.所有FAB機台的OS包含了Windows, WinCE, Linux,所以SBA佈署不可行

當然可以規劃每台FAB PC前面都放一台SMB跑L2 mode來解,想問問各位有沒有其它更好的解法,請記住是連東西向都要隔絕,有沒有可能用一台Firewall完成?

8 Replies
Neville_Kuo
Advisor
‎2018-10-08 07:19 AM

當然我心中有自己的答案

Danny_Yang
Ambassador
Ambassador
‎2018-10-10 08:18 AM

擺一顆較大的Firewall切VS如何?

0 Kudos
Neville_Kuo
Advisor
‎2018-10-10 06:58 PM

謝謝回應。

先不論不能上網更新的問題,我比較好奇超過250台電腦要怎麼接到vsys去? 只要中間有過switch橫向防護就會失敗喔。

0 Kudos
Benis_Lin
Explorer
‎2018-10-11 08:57 PM

2960就用private vlan隔離比較快. 

Neville_Kuo
Advisor
‎2018-10-11 10:52 PM

老師說出我心中的答案,pvlan不用錢,南北向用一台中型的Check Point搞定。

RickLin
Advisor
‎2018-10-19 07:58 AM

Neville 是要考老師嗎?不太明白為什麼你知道答案要問這個問題

這好像是我南部客戶的問題...給你們幾位大師傷腦筋添麻煩了....

Neville_Kuo
Advisor
‎2018-10-19 08:06 AM

我什麼咖還考老師咧,只是覺得你們這個客戶的問題值得討論,看看大家有什麼好方法。

RickLin
Advisor
‎2018-10-19 08:36 AM

有勞操心了,改天某幾個專案忙差不多的時候,再Join你們的行列.

Upcoming Events

    CheckMates Events