Showing results for 
Search instead for 
Did you mean: 

Expressway-C and E Lan1 interface subnet


we have one Expressway setup in UK region with Exp-C lan 1 and Exp-E lan 1 in the same subnet, is this a security flaw and can lead something to slip through the cracks?

In the expressway configuration design guide, it shows the deployment like this, lan 1 of Exp-C and E are in different subnet and there is a firewall between them. In my setup we have lan1 of both Exp-C and E in the same subnet


5 Replies 5

Nithin Eluvathingal
VIP Mentor VIP Mentor
VIP Mentor

Its not mandatory that you see same  setup described in the document with every customer site. some customer may have only perimeter  firewall. some may have firewall between DMZ and local lan. 

I have client who has no firewall in between the E and C, same as your setup both E internal NIC  and C in same subnet  and client who's E and c are different subnet and use  firewall in between.  All these sites  are  working fine without any security issues. 


If your expressway configuration is not good, an outside person can call tall fraud calls . We do hardening  by combination of search rules and CPL.

Go through the Cisco live docuemnts , to learn more bout how to make expressway secure. 

Response Signature



what exactly the below highlighted line implies. How can Exp-E validate and forward the traffic between the isolated subnets? if am correct it is implying the traffic to Exp-C



You can have single NiC and dual NIC setup. its about when to use  the dual NIC configuration. 


Go through the below live document. its an old one, you can search the latest version.



Response Signature

Thanks, but my question isn't about single nic and dual nic setup
It was more about isolating Exp-C and Exp-E as per the cisco guide, just wanted to make sure we have no crack open.

As mentioned, I have sites running both scenarios. How secure your expressway deployment is based on how you configure it.



if you can put a firewall in between the DMZ and lan, go for the design mentioned in the document. because  its the recommended design. if you have you no option to keep a firewall in between go with the same design what you have. 


Make sure you have tight search rules and  CPL. 




Response Signature

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers