Solved: Router vs L3 Switch for redundant ISP connections

sanchezeldorado · ‎08-09-2022

Hello,

My company ordered dual gigabit fiber internet lines and I'm trying to make it as redundant and secure as possible. I've attached a sample diagram that basically matches what I have. Instead of routers at the Routing layer, we installed a couple of Cisco 3750 switches with routing enabled and I'm managing them from the inside with my management vlan. Both of my ISPs hand me a /30 network and it's my responsibility to route that internally to the external interfaces of my firewalls and SDWAN routers. I have two questions.

First, in a scenario like this, is there any benefit going with a router versus a L3 switch? I need to make a recommendation for either new switches or a couple of routers.

Second, I'm concerned about security. Since the 3750s are connected to my management vlan and have an external IP, if they were compromised, it would be an easy route into the network. What is the best practice here?

Thanks!

ammahend · ‎08-09-2022

You can set the FW as cluster with port channel to upstream switches as outside in unique vlan and port channel to downstream lan as inside in unique vlan. Your management interface won’t be accessible from outside by default so you should be fine.
since you said you are not ruining bgp or importing internet routes and not running NAT on L3 device, your L3 switches should work for most part.

you also have option to keep it the same way but with active-standby setup, but you will pass traffic through only 1 FW at a time.

-hope this helps-

View solution in original post

MHM Cisco World · ‎08-09-2022

this SW not support NAT are you looking for NAT? if Yes then you need to change the SW.

sanchezeldorado · ‎08-09-2022

No NAT needed, and I don't plan to use BGP with the ISP. So if the answer is that I should use a L3 switch, are there any best practices for managing the L3 switch while maintaining security?

ammahend · ‎08-09-2022

You can set the FW as cluster with port channel to upstream switches as outside in unique vlan and port channel to downstream lan as inside in unique vlan. Your management interface won’t be accessible from outside by default so you should be fine.
since you said you are not ruining bgp or importing internet routes and not running NAT on L3 device, your L3 switches should work for most part.

you also have option to keep it the same way but with active-standby setup, but you will pass traffic through only 1 FW at a time.

-hope this helps-

MHM Cisco World · ‎08-10-2022

he receive /30 from ISP, and it connect to L3 SW then use private subnet between L3SW and FW,
so how ISP dial with private IP ???
I dont know how this is solution for this case ?
can any one more elaborate?

sanchezeldorado · ‎08-10-2022

It isn't a private subnet between the L3SW and the firewall. The ISP routes my block of public IPs through my L3 switch to my firewall and SDWAN routers. They just route it to me with a /30 subnet to my switch. I accepted it as a solution because I decided to use L3 switches and don't need to continue the thread.

MHM Cisco World · ‎08-10-2022

/30 give you 4 ip

One is netwrok and other is broadcast and two other ip for host and you have three ISP router and two FW.

That my concern, anyway

Good luck

sanchezeldorado · ‎08-10-2022

The /30 on the outside of my L3 switch is only used for routing purposes. I have a /27 block of public IPs on the inside of my L3 switch. The ISP has a static route to my /27 block with a next hop to the outside of my L3 switch and I have a static default route from my L3 switch to the ISP. My firewall and SDWAN routers use my L3 switch's /27 Ip address as their next hop.

MHM Cisco World · ‎08-10-2022

that excellent,
thanks.