09-20-2020 10:44 PM
Hi all
I found a very strange setup of one of our partner in the network, wondering what this community think about it. About the security of the fact to have Internet and private networks on the same link. Here are the details:
- There is an edge router which has three subinterfaces on the inside (customer LAN) interface, realized with different VLAN tags: One for Inside, one for Internet and one for voice.
- At the WAN side of this edge router, there is only one physical interface with a transport subnet IP address assigned.
- Even if the three networks on the inside are tagged with different VLANs, on the outside all three networks are on the same link.
- The routing of the three networks are going via the same routing path. They also share the same default route, which then points to a redundant firewall pair which is then the edge of this "cloud" to the Internet.
I never saw a design like this. For my understanding, at least the different networks (private, Internet, voice) should be tagged with different VLANs on the transport network. Even better would be to have different VRFs within the cloud which separates the three network into individual entities. With this setup now, this means we have unfiltered Internet access directly on the same physic than the private network. The only "filter" in between is that it belongs to another subnet and therefore not routed directly, but from a security point of view more than a strange setup.
Did I described the scenario well enough? If not, let me know, I can create a drawing to make is clearer.
Does this makes sense for you guys? I am open for discussions.
Thank you
Markus
09-21-2020 02:35 AM - edited 09-21-2020 02:35 AM
Sometime due to resources constrained people go that route.
Its router on stick with different VLAN tagging - with FW is ok - again thinking of your description with visualization.
as you mentioned they also routed traffic to FW in and outside. that means they segment the traffic i guess.
Hope this might have done some time back and working - so they carry on with that setup, since we do not see any issue.
when the refresh take place, we make changes and recommend best practice what trending now.
to make more clear, if you can draw a diagram which can give us more clear picture rather words.
09-21-2020 03:07 AM
Hi Balaji
Thank you for your reply. I attached a PDF here from the situation. That you can see we have 3 VLANs within the main site, but then the rest of the provider network is just one network without any VLANs or VRFs. Traffic is just routed through the network to their central firewall, but there is no inspection or firewalling somewhere.
Let me know if there are any more questions.
Thank you
Markus
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide