Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
3
Replies

Bad design ??

dclee
Level 1
Level 1

‎05-11-2013 07:37 AM - edited ‎03-07-2019 01:18 PM

Need some guidance....We run a collapsed core with all internal traffic begin switched / routed thru our 6513E chassis.

All outbound traffic is then passed thru an ASA 5555X cluster.

On the internet side, I have a few appliances...Juniper gateway, Reverse proxy, VPN appliance, 2 dmz's as well as the internet service router...The L2 switching is handled via a few 3560 switches which are vlan'd and then connect back to the firewall.

I would like to consolidate the internet side and get rid of the layer 2 switches on the outside. I have a spare slot on the 6513E and an extra 6748 line card..

Would it be considered bad design to slice this line card into the various L2 vlans I need to handle the internet / dmz side of the firewall ?

There would be L2 seperation and of course no routing. But physically I would be connecting internet facing devices into my core switch.

Any security concerns I need to consider ?

Any help would be appreciated.

Cheers


Dave

Labels:
0 Helpful
3 Replies 3

alam
Level 1
Level 1

‎05-11-2013 08:34 AM

Hi,

May I know the reason why you consider to remove the layer 2 switches and connect Internet / DMZ side to core switch?

I think the first thing you need to consider if any attack happens from Internet, that may pass through the core switch when you connect Internet edge to core device.

Cheers,

Aqua

0 Helpful

dclee
Level 1
Level 1
In response to alam

‎05-11-2013 08:39 AM

Well the 3560's I have on the outside are single point of failure devices..and I have the spare capacity on the 6513E chassis. Was hoping to dedicate one blade to support the internet side..

But design wise it just didnt look good on paper...

Any other opinions ? Or is this something that just shouldnt be done.

Cheers


Dave

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to dclee

‎05-11-2013 10:12 AM

Dave

From a design perspective and from a security perspective I would want separation, both physical and logical, of traffic coming from the Internet and the traffic on the inside of my network. So my reaction to your first suggestion is negative.

I am a big believer in trying to figure out what is the basic problem in a situation and then trying to solve that basic problem. In reading your post it seems that the basic problem that you want to solve is having a single point of failure on the outside of your network. So I would focus on finding solutions on the outside that provide some redundancy. Your original post says that you have a few 3560 switches which are vlanned. Is there some possibility of doing some trunking between the switches, and possibly the ASA in a way that would provide some redundancy?

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card