I am currently implementing a new network with different segments. The separation of those segments is achieved using VLANs. To enable some segments to communicate with each other and to be reached from the internet, a firewall is planned.
I am currently thinking about two different designs, one with a single firewall handling all traffic and one with a separated exchange VLAN and a firewall for each segment.
The single firewall architecture would be implemented as a VM with network interfaces in all segments.
For the separated exchange network, each firewall VM would get two network interfaces, one in its segment and one in the exchange network.
I am currently leaning towards the single firewall, since it seems to be easier to manage. An advantage of the exchange net would be, that a mistake in a single firewall should not propagate further than the exchange network. Do you have any suggestions on this topic?
Thanks and kind regards
