I found a very strange setup of one of our partner in the network, wondering what this community think about it. About the security of the fact to have Internet and private networks on the same link. Here are the details:
- There is an edge router which has three subinterfaces on the inside (customer LAN) interface, realized with different VLAN tags: One for Inside, one for Internet and one for voice.
- At the WAN side of this edge router, there is only one physical interface with a transport subnet IP address assigned.
- Even if the three networks on the inside are tagged with different VLANs, on the outside all three networks are on the same link.
- The routing of the three networks are going via the same routing path. They also share the same default route, which then points to a redundant firewall pair which is then the edge of this "cloud" to the Internet.
I never saw a design like this. For my understanding, at least the different networks (private, Internet, voice) should be tagged with different VLANs on the transport network. Even better would be to have different VRFs within the cloud which separates the three network into individual entities. With this setup now, this means we have unfiltered Internet access directly on the same physic than the private network. The only "filter" in between is that it belongs to another subnet and therefore not routed directly, but from a security point of view more than a strange setup.
Did I described the scenario well enough? If not, let me know, I can create a drawing to make is clearer.
Does this makes sense for you guys? I am open for discussions.
Thank you for your reply. I attached a PDF here from the situation. That you can see we have 3 VLANs within the main site, but then the rest of the provider network is just one network without any VLANs or VRFs. Traffic is just routed through the network to their central firewall, but there is no inspection or firewalling somewhere.
Today I'm going to talk about SD-wan including SD-WAN advanced lab ,, first thing let's take a small brief about the SD_WAN. What is SD-WAN? SD-WAN is Software define wide area network and SD-WAN is key part of the technology o...
Leopold Fisher, Cisco Meraki IoT specialist, will introduce you to new and innovative additions to the Meraki portfolio coming in April 2021.
Meraki Vision Session
MV smart camera range is getting big...
To participate in this event, please use the button to ask your questions
Dynamic Routing Protocols & IPv6
Have any questions on dynamic routing protocols with IPv6?
In this event we will answer all your questions related to dynamic routing pro...
Today I'm going to talk about SD-wan including SD-WAN advanced , first thing let's take a small brief about the SD_WAN.What is SD-WAN? SD-WAN is Software define wide area network and SD-WAN is key part of the technology of software-definednetworking ...
The cat's out of the bag! In October 2020, Cisco announced the Next Generation of Enterprising Routing Platforms: the Catalyst 8000 Edge Platforms Family including the Catalyst 8200, Catalyst 8300, Catalyst 8500, and Catalyst 8000V. The new family of Cats...