Skip to main content

Topology

This document provides an overview of the standard 3-layer enterprise network topology and examines how traffic flows in environments with and without Gatekeeper deployment.

The topology consists of three hierarchical layers:

  • Access Layer: Where end devices connect (L2 or L3 switches)
  • Distribution Layer: Aggregation and routing between access switches (L3 switches)
  • Core Layer: High-speed backbone connecting to routers and external networks

3 layer enterprise network topology without Gatekeepers deployed

Enterprise Network

Legend:

  • <Ephemeral> - Ephemeral Port (dynamically assigned port number)
  • L2 AS - Layer 2 Access Switch
  • L3 AS - Layer 3 Access Switch
  • L3 DS - Layer 3 Distribution Switch
  • Core - Core Layer Router
  • GK LAN - Gatekeeper LAN Interface
  • GK WAN - Gatekeeper WAN Interface

For the devices connected to L2 access switch

East-West Traffic (Intra-VLAN Communication): When devices in same VLAN need to communicate.

172.16.10.10/24:<Ephemeral> → L2 AS → 172.16.10.20/24:8443
East-West Traffic (Intra-VLAN Communication) Forward Traffic

172.16.10.20/24:8443 → L2 AS → 172.16.10.10/24:<Ephemeral>
East-West Traffic (Intra-VLAN Communication) Reverse Traffic

East-West Traffic (Inter-VLAN Communication): When devices in different VLANs need to communicate.

172.16.10.10/24:<Ephemeral> → L2 AS → 172.16.10.1 (L3 DS) 172.16.20.1 → L2 AS → 172.16.20.10/24:8443
East-West Traffic (Inter-VLAN Communication) Forward Traffic

172.16.20.10/24:8443 → L2 AS → 172.16.20.1 (L3 DS) 172.16.10.1 → L2 AS → 172.16.10.10/24:<Ephemeral>
East-West Traffic (Inter-VLAN Communication) Reverse Traffic

North-South Traffic (External Communication): When device need to communicate with the external network.

172.16.10.10/24:<Ephemeral> → L2 AS → 172.16.10.1 (L3 DS) → Core → 8.8.8.8:53
North-South Traffic (External Communication) Forward Traffic

8.8.8.8:53 → Core → L3 DS → L2 AS → 172.16.10.10/24:<Ephemeral>
North-South Traffic (External Communication) Reverse Traffic

For the devices connected to L3 access switch

East-West Traffic (Intra-VLAN Communication): When devices in same VLAN need to communicate.

172.16.40.10/24:<Ephemeral> → L3 AS → 172.16.40.20/24:8443
East-West Traffic (Intra-VLAN Communication) Forward Traffic

172.16.40.20/24:8443 → L3 AS → 172.16.40.10/24:<Ephemeral>
East-West Traffic (Intra-VLAN Communication) Reverse Traffic

East-West Traffic (Inter-VLAN Communication): When devices in different VLANs need to communicate.

172.16.40.10/24:<Ephemeral> → (172.16.40.1) L3 AS (172.16.50.1) → 172.16.50.10/24:8443
East-West Traffic (Inter-VLAN Communication) Forward Traffic

172.16.50.10/24:8443 → (172.16.50.1) L3 AS (172.16.40.1) → 172.16.40.10/24:<Ephemeral>
East-West Traffic (Inter-VLAN Communication) Reverse Traffic

North-South Traffic (External Communication): When device need to communicate with the external network.

172.16.40.10/24:<Ephemeral> → L3 AS → 172.16.40.1 (L3 DS) → Core → 8.8.8.8:53
North-South Traffic (External Communication) Forward Traffic

8.8.8.8:53 → Core → L3 DS → L3 AS → 172.16.40.10/24:<Ephemeral>
North-South Traffic (External Communication) Reverse Traffic

3 layer enterprise network topology with Gatekeepers deployed

When a policy is applied to any of the device, firewall rules are automatically pushed to the Gatekeeper(s) which is the enforcement point.

Gatekeeper Deployed in Enterprise Network

There are two modes of deployment supported.

  1. Symmetric Mode
  2. Asymmetric Mode

Symmetric Mode

Here the SVIs (of VLANs which are to be managed by the Gatekeeper) are shut down on the L3 distribution switch (which is connected to the Gatekeeper). The SVIs are instead configured on the Gatekeepers. So Gatekeeepers become the gateway for the devices. Also a static route will be configured in the L3 distribution switch / L3 access switch (to route the traffic destined to devices in any VLANs) through the Gatekeeper's WAN interface.

For the devices connected to L2 access switch

East-West Traffic (Intra-VLAN Communication): When devices in same VLAN need to communicate.

172.16.10.10/32:<Ephemeral> → L2 AS → L3 DS → (172.16.10.1) GK LAN → L3 DS → L2 AS → 172.16.10.20/32:8443
East-West Traffic (Intra-VLAN Communication) Forward Traffic

172.16.10.20/32:8443 → L2 AS → L3 DS → (172.16.10.1) GK LAN → L3 DS → L2 AS → 172.16.10.10/32:<Ephemeral>
East-West Traffic (Intra-VLAN Communication) Reverse Traffic

East-West Traffic (Inter-VLAN Communication): When devices in different VLANs need to communicate.

172.16.10.10/32:<Ephemeral> → L2 AS → L3 DS → (172.16.10.1) GK LAN (172.16.20.1) → L3 DS → L2 AS → 172.16.20.10/32:8443
East-West Traffic (Inter-VLAN Communication) Forward Traffic

172.16.20.10/32:8443 → L2 AS → L3 DS → (172.16.20.1) GK LAN (172.16.10.1) → L3 DS → L2 AS → 172.16.10.10/32:<Ephemeral>
East-West Traffic (Inter-VLAN Communication) Reverse Traffic

North-South Traffic (External Communication): When device need to communicate with the external network.

172.16.10.10/32:<Ephemeral> → L2 AS → L3 DS → (172.16.10.1) GK LAN → GK WAN → L3 DS → Core → 8.8.8.8:53
North-South Traffic (External Communication) Forward Traffic

8.8.8.8:53 → Core → L3 DS → GK WAN → GK LAN → L3 DS → L2 AS → 172.16.10.10/32:<Ephemeral>
North-South Traffic (External Communication) Reverse Traffic

For the devices connected to L3 access switch

East-West Traffic (Intra-VLAN Communication): When devices in same VLAN need to communicate.

172.16.40.10/24:<Ephemeral> → L3 AS → 172.16.50.10/24:8443
East-West Traffic (Intra-VLAN Communication) Forward Traffic

172.16.50.10/24:8443 → L3 AS → 172.16.40.10/24:<Ephemeral>
East-West Traffic (Intra-VLAN Communication) Reverse Traffic

East-West Traffic (Intra-VLAN Communication) with /32 subnet mask: When devices in same VLAN need to communicate (with both of them configured with /32 subnet mask).

172.16.40.10/32:<Ephemeral> → L3 AS → (172.16.40.1) GK LAN → L3 AS → 172.16.40.20/32:8443
East-West Traffic (Intra-VLAN Communication) with /32 subnet mask Forward Traffic

172.16.40.20/32:8443 → L3 AS → (172.16.40.1) GK LAN → L3 AS → 172.16.40.10/32:<Ephemeral>
East-West Traffic (Intra-VLAN Communication) with /32 subnet mask Reverse Traffic

East-West Traffic (Inter-VLAN Communication): When devices in different VLANs need to communicate.

172.16.40.10/24:<Ephemeral> → L3 AS → (172.16.40.1) GK LAN (172.16.50.1) → L3 AS → 172.16.50.10/24:8443
East-West Traffic (Inter-VLAN Communication) Forward Traffic

172.16.50.10/24:8443 → L3 AS → (172.16.50.1) GK LAN (172.16.40.1) → L3 AS → 172.16.40.10/24:<Ephemeral>
East-West Traffic (Inter-VLAN Communication) Reverse Traffic

North-South Traffic (External Communication): When device need to communicate with the external network.

172.16.40.10/24:<Ephemeral> → L3 AS → (172.16.40.1) GK LAN → GK WAN → L3 AS → L3 DS → Core → 8.8.8.8:53
North-South Traffic (External Communication Forward Traffic

8.8.8.8:53 → Core → L3 DS → L3 AS → GK WAN → GK LAN → L3 AS → 172.16.40.10/24:<Ephemeral>
North-South Traffic (External Communication Reverse Traffic

Asymmetric Mode

Here the SVIs are configured on the L3 distribution switch and the Gatekeeper's network interface will have one IP from the subnets of respective VLANs. These IPs are assigned as the gateway IP of the devices in respective VLANs. Also, here there is no static route defined as in case of symmetric mode.

For the devices connected to L2 access switch

Consider that the IPs assigned to the Gatekeeper's LAN interface are 172.16.10.2 and 172.16.20.2 for VLAN 100 and VLAN 200 respectively.

East-West Traffic (Intra-VLAN Communication): When devices in same VLAN need to communicate.

172.16.10.10/32:<Ephemeral> → L2 AS → L3 DS → (172.16.10.2) GK LAN → L3 DS → L2 AS → 172.16.10.20/32:8443
East-West Traffic (Intra-VLAN Communication) Forward Traffic

172.16.10.20/32:8443 → L2 AS → L3 DS → (172.16.10.2) GK LAN → L3 DS → L2 AS → 172.16.10.10/32:<Ephemeral>
East-West Traffic (Intra-VLAN Communication) Reverse Traffic

East-West Traffic (Inter-VLAN Communication): When devices in different VLANs need to communicate.

172.16.10.10/32:<Ephemeral> → L2 AS → L3 DS → (172.16.10.2) GK LAN (172.16.20.2) → L3 DS → L2 AS → 172.16.20.10/32:8443
East-West Traffic (Inter-VLAN Communication) Forward Traffic

172.16.20.10/32:8443 → L2 AS → L3 DS → (172.16.20.2) GK LAN (172.16.10.2) → L3 DS → L2 AS → 172.16.10.10/32:<Ephemeral>
East-West Traffic (Inter-VLAN Communication) Reverse Traffic

North-South Traffic (External Communication): When device need to communicate with the external network.

172.16.10.10/32:<Ephemeral> → L2 AS → L3 DS → (172.16.10.2) GK LAN → GK WAN → L3 DS → Core → 8.8.8.8:53
North-South Traffic (External Communication) Forward Traffic

8.8.8.8:53 → Core → L3 DS → L2 AS → 172.16.10.10/32:<Ephemeral>
North-South Traffic (External Communication) Reverse Traffic

For the devices connected to L3 access switch

Consider that the IPs assigned to the Gatekeeper's LAN interface are 172.16.40.2 and 172.16.50.2 for VLAN 400 and VLAN 500 respectively.

East-West Traffic (Intra-VLAN Communication): When devices in same VLAN need to communicate.

172.16.40.10/24:<Ephemeral> → L3 AS → 172.16.40.20/24:8443
East-West Traffic (Intra-VLAN Communication) Forward Traffic

172.16.40.20/24:8443 → L3 AS → 172.16.40.10/24:<Ephemeral>
East-West Traffic (Intra-VLAN Communication) Reverse Traffic

East-West Traffic (Intra-VLAN Communication) with /32 subnet mask: When devices in same VLAN need to communicate (with both of them configured with /32 subnet mask).

172.16.40.10/32:<Ephemeral> → L3 AS → (172.16.40.2) GK LAN → L3 AS → 172.16.40.20/32:8443
East-West Traffic (Intra-VLAN Communication) with /32 subnet mask Forward Traffic

172.16.40.20/32:8443 → L3 AS → (172.16.40.2) GK LAN → L3 AS → 172.16.40.10/32:<Ephemeral>
East-West Traffic (Intra-VLAN Communication) with /32 subnet mask Reverse Traffic

East-West Traffic (Inter-VLAN Communication): When devices in different VLANs need to communicate.

172.16.40.10/24:<Ephemeral> → L3 AS → (172.16.40.2) GK LAN (172.16.50.2) → L3 AS → 172.16.50.10/24:8443
East-West Traffic (Inter-VLAN Communication) Forward Traffic

172.16.50.10/24:8443 → L3 AS → (172.16.50.2) GK LAN (172.16.40.2) → L3 AS → 172.16.40.10/24:<Ephemeral>
East-West Traffic (Inter-VLAN Communication) Reverse Traffic

North-South Traffic (External Communication): When device need to communicate with the external network.

172.16.40.10/24:<Ephemeral> → L3 AS → (172.16.40.2) GK LAN → GK WAN → L3 AS → L3 DS → Core → 8.8.8.8:53
North-South Traffic (External Communication) Forward Traffic

8.8.8.8:53 → Core → L3 DS → L3 AS → 172.16.40.10/24:<Ephemeral>
North-South Traffic (External Communication) Reverse Traffic

Note: In case if one device is configured with /32 subnet mask and another with /24 subnet mask, then though the Gatekeeper is configured as in symmetric mode, the traffic flow in such case would be asymmetric as shown below.
Consider device 172.16.10.10/32 wants to talk to 172.16.10.20/24.

172.16.10.10/32:<Ephemeral> → L2 AS → L3 DS → (172.16.10.1) GK LAN → L3 DS → L2 AS → 172.16.10.20/24:8443 Symmetric Mode As Asymmetric Mode Forward Traffic

172.16.10.20/24:8443 → L2 AS → 172.16.10.10/32:<Ephemeral> Symmetric Mode As Asymmetric Mode Reverse Traffic