cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
486
Views
0
Helpful
2
Replies

Internet and inside network on the same link

Hi all

 

I found a very strange setup of one of our partner in the network, wondering what this community think about it. About the security of the fact to have Internet and private networks on the same link. Here are the details:

 

- There is an edge router which has three subinterfaces on the inside (customer LAN) interface, realized with different VLAN tags: One for Inside, one for Internet and one for voice.

- At the WAN side of this edge router, there is only one physical interface with a transport subnet IP address assigned.

- Even if the three networks on the inside are tagged with different VLANs, on the outside all three networks are on the same link.

- The routing of the three networks are going via the same routing path. They also share the same default route, which then points to a redundant firewall pair which is then the edge of this "cloud" to the Internet.

 

I never saw a design like this. For my understanding, at least the different networks (private, Internet, voice) should be tagged with different VLANs on the transport network. Even better would be to have different VRFs within the cloud which separates the three network into individual entities. With this setup now, this means we have unfiltered Internet access directly on the same physic than the private network. The only "filter" in between is that it belongs to another subnet and therefore not routed directly, but from a security point of view more than a strange setup.

 

Did I described the scenario well enough? If not, let me know, I can create a drawing to make is clearer.

Does this makes sense for you guys? I am open for discussions.

 

Thank you

Markus

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

Sometime due to resources constrained people go that route.

 

Its router on stick with different VLAN tagging - with FW is ok - again thinking of your description with visualization.

as you mentioned they also routed traffic to FW in and outside. that means they segment the traffic i guess.

 

Hope this might have done some time back and working - so they carry on with that setup, since we do not see any issue.

when the refresh take place, we make changes and recommend best practice what trending now.

 

to make more clear, if you can draw a diagram which can give us more clear picture rather words.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji

 

Thank you for your reply. I attached a PDF here from the situation. That you can see we have 3 VLANs within the main site, but then the rest of the provider network is just one network without any VLANs or VRFs. Traffic is just routed through the network to their central firewall, but there is no inspection or firewalling somewhere.

 

Let me know if there are any more questions.

 

Thank you

Markus

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco