Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
0
Helpful
1
Replies

Configure 2960 switch outside my firewall for routing

Go to solution
sanchezeldorado
Level 1
Level 1

‎06-23-2021 02:16 PM

Hello! I have a Cisco WS-C2960G-24TC-L switch placed outside my firewall. We already have two ISPs but we're now adding a 1Gbps Centurylink fiber link. They are requiring us to provide equipment to route a /30 on the outside to a /27 on the inside. The inside goes to my firewall. My switch isn't currently doing routing and has a single interface for management. This network is 24/7, So I have a few questions to make sure I'm doing this right and don't mess it up royally. 

 

1. The switch currently isn't able to add ip routing. I read that I need to run "sdm prefer lanbase-routing" and reboot the switch. Are there any potential downsides to this? 

2. I want to make sure I follow any security best practices. If I enable routing, I want to make sure it doesn't route any traffic through my management vlan. What routes/default gateway/ACLs would I need?

3. Is there any reason it may be better to use either a different model of switch or a second switch?

 

Thanks!

Andy

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎06-24-2021 12:12 AM

 

 - In general switches are not good for routing  , have the subsequent-vlans (for the segments) terminated at the firewall too and let that handle the routing or use a separate router on  the perimeter, 'closest' to the ISP(s)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

0 Helpful
1 Reply 1

Go to solution
marce1000
VIP
VIP

‎06-24-2021 12:12 AM

 

 - In general switches are not good for routing  , have the subsequent-vlans (for the segments) terminated at the firewall too and let that handle the routing or use a separate router on  the perimeter, 'closest' to the ISP(s)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card