Re: Connecting the ISP to a cisco 2960 Switch

liv.manole1 · ‎04-16-2020

Hello all,

I have a weird situation on a client's configuration. It seems that the ISP fiber goes directly into a catalyst 2960 stack. How is that possible? I cannot manage to understand the thinking behind these (whoever did it before me). Which device does NAT? It even makes sense connecting an ISP cable directly into a switch?

Thank you

Martin L · ‎04-16-2020

is this remote or satellite office? are there any devices behind that switch?
how many IP devices in that office /area? Do you run MPLS?

1. ISP set up provides dedicated L2 or l3 VPN line to that office switch from HQ. You can leased VPN service to connect remote office(s) to HQ. MPLS over Ethernet, Metro-E. etc.

2. Switch could be sort of Media convertor when you do not or cannot connect straight to the router. Then couple routers and/or firewall could be connected to switch.

3, ISP handles everything else like NAT, DHCP, firewall services.

liv.manole1 · ‎04-16-2020

Well, a bigger picture would be :

ISP - > 2switch stack catalyst 2960 - >(connected through a Port-channel) 3 L3 switch stack 3750x - > ASR1001

-> ASA 5525 - > LANs (the ASA is the gateway of the internal management VLAN and several servers with a lot of VMs)

Yes, I have MPLS.

Basically I have 2 VLANs from 2 different ISP entering the 2960, both carring L2VPN tunnels. These two are further transported to the ASR 1001 through the 3750X, and then the traffic has policies applied through the ASA. Also a big question mark is (maybe a rookie question) the ASR has to subinterfaces carrying another two VLANS for the same ISP (as backup tunnels), aaaand keeping that in mind, why these two VLANs are not declared through the Port-channel on 3750x that I mentioned earlier (apparently the connections are up and running). To make the story complete, the tunnels communicate with a DR HQ in another city.

at the

It is more clear for me now...I have not seen the possibility that the ISP is doing the NAT through an appliance to which I have no access.

I saw the architecture in a more....best practice-way if I can say so. Why the network is so upside down (into my head)...usually you have the ISP entering the router first where the NATing comes in place, and afterwards you have the networks with firewall, switches, servers etc.

I hope I have not bored you...

Seb Rupik · ‎04-16-2020

Hi there,

If the ISP fibre is terminated using a SFP it is significantly cheaper (££ per switchport) to terminate it onto a switch than say a router or a firewall linecard. This 'raw' internet connect will be contained within a VLAN that is then tagged towards your perimeter security device. You most likely have a few "xxx-on-a-stick" devices connected to that 2960.

Providing switchports are placed in the correct VLANs there is no security risk in this implementation. The only risk would be the switch is a single point of failure.

cheers,

Seb.

Steven Case, MBA-ITM · ‎04-16-2020

As everyone has mentioned, it sounds as though the ISP is doing everything, including DHCP and NAT for the site. I would wager that no other device on your network is doing this, as without a L3 device you won't get anywhere.

So, it's just broadcasting. As everything will be in the same VLAN, the traffic gets to where it needs to go and all is well. If no other service is necesary, this is ... sufficient. Sadly, looking back at it, I had several retail stores that were set up similarly, and am now very disappointed.

Anyway! You could access file servers, application servers and whatnot in this type of environment, as it's very flat (just one VLAN). The ISP connection is in the same VLAN so broadcasts get out. Simple design.