07-09-2008 11:56 AM - edited 03-06-2019 12:06 AM
Hope someone can make a recommendation:
What is the best practice for the upstream connection at an Internet datacenter colo?
The connection from the ISP is an ethernet cable.
One option is to use a catalyst switch with a routed port. Traffic would then be routed to an ASA firewall.
Another option is to use the ASA directly as the edge device to connect directly to the ISP.
Which do you think is better?
07-09-2008 12:04 PM
I would personally have the connection from the ISP connect to a switch. Create a vlan on this switch. Put the outside firewall and the ISP connection into this vlan.
1. You maintain physical security
2. You can utilize this switch for failover & stateful failover
3. You can also use this switch for DMZ connections and keep it totally from the inside environment.
4. You can also terminate other ISP connections on this switch.
07-09-2008 02:53 PM
Thanks for the reply.
So you are suggesting that the firewall be chosen as the edge device to the upstream provider.
Putting the interfaces in the same vlan or directly connecting them are essentially the same thing from an architecture perspective.
I tried to keep the description simple by excluding talk of vlans.
The heart of my question is whether a firewall port should be the edge device (route for ISP to send packets) or whether a switch routed port or svi should be the edge interface.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide