Multiple Internet Connections through switch then firewall...

peter1550 · ‎08-02-2017

I am trying to consolidate the number of potential failures on my network by removing an extra router in my setup if possible.

Currently, I have two internet connections coming in. One for public internet, and one for private internet (MPLS). Both connections are routed over /30 networks. In this example, I'll say my public internet comes in on the 1.1.1.1/30 network, and my private network comes in on the 10.255.0.0/30 network. The public network has a network range of 2.2.2.2/28 routed over it for public IP use locally. The private network has the 10.0.0.0/16 network routed over it for local IPs at the given site. See attached image for a better visualization.

There are two Cisco devices currently setup in order to make this work. a Cisco 3560C and a Cisco 3750.

I'd like to remove the Cisco 3560 out of the equation, but I cannot figure out a good way to remove it and keep the routing tables such that I can route the MPLS traffic through my firewall. I'd like to keep the IPs 1.1.1.2 and 10.255.0.2 as IPs on my switch so that I can access the switch remotely if my firewall went down. I would use ACLs to only allow access from certain locations as a security measure.

Any ideas on how I can get the desired setup to work? Or should I take a whole different approach?

You insight and comments would be greatly appreciated! Thanks in advance!

Dennis Mink · ‎08-02-2017

from a security point of view you would want to keep these two connections physically separated.

why cant you plug the internet and MPLS into 2 separate physical outside ports on your firewal?

alternatively run a trunk between your switch and FW and use separate VLANs for MPLS and INternet and terminate the 1.1.1.2 and the 10.255.0.x on your firewall.

Please rate if useful

Please remember to rate useful posts, by clicking on the stars below.

peter1550 · ‎08-03-2017

Dennis -- Thank you for your reply.

I agree, physical separation is a better security model.

The firewall is a virtual machine, and thus the VM host is connected to the Cisco 3750 switch. I am using VLANs to segment all the various segments of traffic. I have a VLAN for the internet, the MPLS, the LAN, and the other network segments.

I originally set it up with 1.1.1.2 and 10.255.0.X terminating on my firewall. However, the challenge I ran into was if the firewall VM was down or the VM host was down I was unable to manage these remote networks.

In order to setup a more fault tolerant network, I was thinking I would terminate those IPs on my switch directly. This would allow me to access the network from specific IPs if my VM was down. I would use ACLs to control access to my switch in order to secure it.

I am trying to figure out the following:

Is it possible to create a routing table only applicable to a port? If I could have a port routing table I believe I could setup another /30 network between my switch and my firewall to route all the 10.0.0.0/16 traffic from that port to my firewall without messing up the existing 10.0.0.0/16 traffic that exists already on the switch
If 1 is not possible or highly complex, is there a way to have an IP on my switch and on my firewall so that I can achieve the same results?
If 1,2 are not possible or advisable, what recommendations do you have to have a resilient remote network?

Thanks in advance.

Dennis Mink · ‎08-03-2017

one way of keeping the routing tables separate on the same physical L3 device is through the means of VRF's

Please rate if helpful

Please remember to rate useful posts, by clicking on the stars below.