Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1502
Views
0
Helpful
11
Replies

Best practice Router Position

shaharshad
Level 1
Level 1

‎10-12-2016 10:33 AM - edited ‎03-05-2019 07:15 AM

Hi 

In a collapsed layer design network, should router be attached to Aggregation / Core switch directly ? (i.e. Aggregation Switch--> Router -->internet

(Note: Firewall is also attached to a port of switch) 

Alternatively Aggregation Switch -->Firewall-->router-->internet

Thanks 

Arshad

 

Labels:
0 Helpful
11 Replies 11

Richard Burts
Hall of Fame
Hall of Fame

‎10-12-2016 01:33 PM

Arshad

I would think that firewall > router > Internet would be the more common implementation.

HTH

Rick

HTH

Rick
0 Helpful

shaharshad
Level 1
Level 1
In response to Richard Burts

‎10-13-2016 06:10 PM

Issue is ,I have same set of another equipment, my firewall are clustered (same config) wanna run ibgp on routers as router running ebgp/ibgp And firewall clustered. Is there any way or not. In ist approach I have security concerns mainly 

Router---f/w------ agg sw----agg sw---f/w-----router

Thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to shaharshad

‎10-14-2016 11:23 AM

I do not understand what you are saying here. Your original question asked about Best Practices and we have provided answers about Best Practice. Now you seem to be asking about a particular implementation which is not well described.

In my experience it does not make much difference whether firewall is clustered or not in terms of what kind of device connects to what kind of device.

What does running BGP have to do with the order in which devices are connected?

HTH

Rick

HTH

Rick
0 Helpful

devils_advocate
Level 7
Level 7

‎10-13-2016 08:34 AM

Alternatively Aggregation Switch -->Firewall-->router-->internet

If you have a firewall (which you should really) then this is fine for an approach.

I don't see an issue connecting your Internet Edge to the Aggregation switch in a collapsed core model. 

0 Helpful

black angel
Level 1
Level 1

‎11-03-2016 04:03 AM

I need a help.. currently my company network is like this : WAN--> Router--> switch | |--> Firewall which is not secure... i want to change the configuration to : WAN-->Router-->Firewall--> Switch do i need to configure anything on Router and Firewall? Please help me.Thanks
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to black angel

‎11-03-2016 06:23 AM

Your description fails to tell us where Is the network of users who need to be protected. Depending on the configuration of vlans and routing, it is possible that in the topology you describe that all user traffic flows through the firewall on its way to the Internet and in that case I do not see why it would not be secure. But you know more about your network than we do and if you say that it is not secure then we must work from that assertion.

If you are going to make the change that you suggest then certainly some config changes need to be made. It is likely that interface address changes will be required for the new topology. And likely that some changes in vlans and in routing may be needed. But since we do not know the details of your network we are not able to give you advice on specific changes.

HTH

Rick

HTH

Rick
0 Helpful

black angel
Level 1
Level 1
In response to Richard Burts

‎11-06-2016 02:44 AM

Thanks for your quick response. I've attached an attachment. Please have a look. Does it helping you to have an idea about my network? Please help me.

Preview file
44 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to black angel

‎11-06-2016 06:09 PM

Thank you for the additional information. Clearly in the proposed environment all traffic from the switch going to router must go through firewall. As I explained in my previous post in the original environment depending on the configuration of vlans and of routing it is possible that all user traffic going from the switch  to the router would still go through the firewall. Or it is possible that some user traffic might go from switch to router without going through the firewall.

So we need more details of the current configuration to advise whether changes need to be made for the new environment.

HTH

Rick

HTH

Rick
0 Helpful

black angel
Level 1
Level 1
In response to Richard Burts

‎11-07-2016 01:35 AM

I'm trying to make you understand my network and attached another file. Sorry if I'm unable.

All user traffic will go to the router through firewall because i want that from external(WAN) no one can access our network.

I would like to add here that I've configured VPN tunneling and OSPF. If i connect the firewall to the router, do i have to configure that router port? Is the physical connectivity will ensure the connectivity  or i have to configure something on the router and the firewall.

Preview file
48 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to black angel

‎11-08-2016 09:18 AM

The new picture is interesting. It is likely that you will need to change some things in the configuration when you move the firewall. Likely interface address on one or both may change. Probably some changes will be needed on router for routes and perhaps some changes in routes on the firewall.

HTH

Rick

HTH

Rick
0 Helpful

black angel
Level 1
Level 1
In response to Richard Burts

‎11-09-2016 12:36 AM

thank for the reply.But what type of change do i need here? do i have to configure the port? I can configure an ip address and do i have to configure anything else additionally...please help me.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card