Solved: Configure 2960 switch outside my firewall for routing

sanchezeldorado · ‎06-23-2021

Hello! I have a Cisco WS-C2960G-24TC-L switch placed outside my firewall. We already have two ISPs but we're now adding a 1Gbps Centurylink fiber link. They are requiring us to provide equipment to route a /30 on the outside to a /27 on the inside. The inside goes to my firewall. My switch isn't currently doing routing and has a single interface for management. This network is 24/7, So I have a few questions to make sure I'm doing this right and don't mess it up royally.

1. The switch currently isn't able to add ip routing. I read that I need to run "sdm prefer lanbase-routing" and reboot the switch. Are there any potential downsides to this?

2. I want to make sure I follow any security best practices. If I enable routing, I want to make sure it doesn't route any traffic through my management vlan. What routes/default gateway/ACLs would I need?

3. Is there any reason it may be better to use either a different model of switch or a second switch?

Thanks!

Andy

Mark Elsen · ‎06-24-2021

- In general switches are not good for routing , have the subsequent-vlans (for the segments) terminated at the firewall too and let that handle the routing or use a separate router on the perimeter, 'closest' to the ISP(s)

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

View solution in original post

Mark Elsen · ‎06-24-2021

- In general switches are not good for routing , have the subsequent-vlans (for the segments) terminated at the firewall too and let that handle the routing or use a separate router on the perimeter, 'closest' to the ISP(s)

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)