Solved: Re: Having WAN and LAN traffice on the same switch in seperate V

andrewrocks · ‎08-19-2011

Hi,

I have a 3560 switch and want to be able to allocate WAN connections to my VMs as well as LAN connections. The easiest way I can think of doing this is to have an accessport for the WAN connection and then pass it over trunks to the virtual servers, also passing the LAN traffic where needed.

My question is, is it safe to have WAN and LAN traffic on the same switch in seperate VLANs? The WAN traffic would have passed through a router, but no firewall to get into the switch. The only way to access the WAN traffic would be through a firewall, either software (pfSense) or hardware (physical firewalls).

Thanks

Andrew.

Jon Marshall · ‎08-23-2011

Gerald

So the firewall is actually a blade server ?

If so that is not at all safe and should be avoided at all costs. The problem being that a simple denial of service from the internet would have to go through the core switch before getting to the firewall which could bring down your entire WAN/LAN.

I assumed Andrew was referring to WAN in the sense of remote sites ie. sites from his company not the internet.

If this is what you are proposing Andrew then no it's not safe because your LAN infrastructure is directly exposed to the internet. Note i'm not saying your LAN devices because if you setup the vlans and routing correctly the internet traffic could only got the firewall before being allowed on the LAN, rather i am referring to the actual infrastructure ie. the switches etc.

Jon

View solution in original post

Jon Marshall · ‎08-19-2011

Andrew

The WAN traffic would have passed through a router, but no firewall to get into the switch.

The only way to access the WAN traffic would be through a firewall, either software (pfSense) or hardware (physical firewalls).

These 2 statements seem to contradict each other. Could you clarfify ?

In answer you general question, you can use the same switch for LAN and WAN termination if you want. If its a 3560 swich then i wouldn't make the WAN connection a vlan connection i would simply make it a routed port ie.

int gi0/1

no switchport

ip address x.x.x.x

But when you say safe what exactly are you asking ?

Jon

Gerald Vogt · ‎08-21-2011

Yes. This works and is safe. VLANs are separated and the 3560 won't pass anything between them unless you set up interfaces in both and route between them. I would not set up an interface in the WAN VLAN but instead only pass it to your firewall. You don't want it to be a routed port. If it was a routed port the 3560 would have to make sure to keep WAN and LAN traffic separated.

If you pass the WAN on L2 only, the firewall would be in WAN and LAN VLANs and route and filter between them...

Julio Garcia · ‎08-22-2011

Its Safe on separate vlans, but the issue is more psychological -- me personally i would hate it

andrewrocks · ‎08-23-2011

Sorry for the delay in reply, I have been away from my desk for a while.

Jon, sorry for not being clear. I was trying to say that the VLANd section of the swtich would not be routed to any other VLAN, it would only travel through routers to get there.

Could you elaborate on the whole "no switchport" aspect of your answer please? I understand this turns the port into a Layer 3 device, but I don't fully understand what the implications are.

Gerald, that'd exactly what I have in mind, thank you for confirming it will be "safe" (i.e. taffic cannot jump from one to the other

Rob, I agree that it messes with your head a bit, but for me it's worth it as I don't have the budget to buy seperate switches for the WAN and LAN side of things.

Jon Marshall · ‎08-23-2011

Andrew

I am still totally confused but it's probably me

Gerald suggests terminating the WAN vlan on the firewall which is what you say had in mind but then you say in your original post that the WAN traffic would not pass through a firewall only routers. So i can't really visualise what your network topology is.

If you do not want to route the WAN vlan on your switch then don't use a routed port on the 3560 as i originally suggested as this would allow routing between the WAN traffic and the LAN vlan.

Sorry, but i'm really not sure exactly what you are asking.

Jon

Gerald Vogt · ‎08-23-2011

Well, I don't know Andrews exact network topology but what I thought of was this:

Let's say you have a bladecenter with a couple of VMs running on it. One is supposed to be running as (only) firewall. You have your ISP access router which provides internet.

As all your LAN devices and the bladecenter are connected to your core switch the idea is simply to run the internet connection through the core switch to the firewall instead of running a separate cable from the ISP router into the blade center.

Thus you have a WAN and LAN VLAN on the core switch. The WAN runs through the switch. The WAN traffic comes from the ISP router into the WAN VLAN, through the core switch and into the blade center. On this way it won't go through any firewall or other filtering.

Of course, there will be a firewall before it goes into the LAN. But it's just not physically connected to the ISP router...

Jon Marshall · ‎08-23-2011

Gerald

So the firewall is actually a blade server ?

If so that is not at all safe and should be avoided at all costs. The problem being that a simple denial of service from the internet would have to go through the core switch before getting to the firewall which could bring down your entire WAN/LAN.

I assumed Andrew was referring to WAN in the sense of remote sites ie. sites from his company not the internet.

If this is what you are proposing Andrew then no it's not safe because your LAN infrastructure is directly exposed to the internet. Note i'm not saying your LAN devices because if you setup the vlans and routing correctly the internet traffic could only got the firewall before being allowed on the LAN, rather i am referring to the actual infrastructure ie. the switches etc.

Jon

andrewrocks · ‎08-23-2011

Hi Jon,

That's a really good point I hadn't considered. Would a dos attack on a 50mbit Internet link be able to affect the 3650 gigabit?

I have a spare ass 5505 doing nothing. I know absolutely nothing about the asa devices, would I be able to use this as a firewall that doesn't perform NAT or and other changes other than security?

Thanks for your advice on this.

Sent from Cisco Technical Support iPad App

Jon Marshall · ‎08-23-2011

Andrew

Would a dos attack on a 50mbit Internet link be able to affect the 3650 gigabit?

Probably not although if you could get the packets to be software switched then they may have more of an effect. But that was just an example. What if there is a bug in the switch software that when a malformed packet is sent the switch crashes etc etc.

I'm not saying it won't work just that you really need to be aware of what you are doing. Personally i wouldn't comfortable doing it.

I have a spare *** 5505 doing nothing. I know absolutely nothing about the asa devices, would I be able to use this as a firewall that doesn't perform NAT or and other changes other than security?

Yes you don't have to use NAT if you don't want to or at the very least you can simply NAT to the same addresses. The ASA could be used simply to filter packets and nothing more.

Jon

Gerald Vogt · ‎08-23-2011

jon.marshall wrote:

Probably not although if you could get the packets to be software switched then they may have more of an effect. But that was just an example. What if there is a bug in the switch software that when a malformed packet is sent the switch crashes etc etc.

That should be extremely unlikely. It would only become relevant if the access router gets hacked and someone has direct access to the layer 2 link between the router and the firewall. Otherwise, general traffic from the internet is layer 3 but the switch is only operating on layer 2 on the link between the router and the firewall. The switch will look at the MAC addresses and the ethernet headers but not the IP headers or the IP content. I think this kind of attack would be only theoretical.

Of course, if the router is insecure it can become an issue.

Jon Marshall · ‎08-24-2011

Gerald

Agreed, which is why i said "Probably not" in an earlier answer

But that really was just an example. Your LAN infrastructure is open to anything an everything, DoS, malformed packets etc.

Just too big a risk in my opinion but as we all seem to agree it could be run like that and nothing might ever happen.

Jon

Gerald Vogt · ‎08-23-2011

jon.marshall wrote:

If so that is not at all safe and should be avoided at all costs. The problem being that a simple denial of service from the internet would have to go through the core switch before getting to the firewall which could bring down your entire WAN/LAN.

Which I think is very unlikely. Internet speed is usually much lower than the wire speed on the switch. Traffic passes only on layer 2 between two fixed MAC addresses. Switches must not have an interface in that WAN VLAN. A firewall only filters layer 3 anyway.

Thus I don't think a DoS attack on the firewall could really bring down the LAN. It would only affect the firewall as it would always does.

It's definitively not the best setup and not recommended for the long run but if that's what you could use within your inventory and budget it's possible and not unsafe.

Of course you have to be careful about the configuration. I think human error is probably the biggest risk in this kind of setup. The configuration must be correct and it should also be failsafe, for example if the switch forgot it's unconfiguration and booted up with default configuration, i.e. switching between all ports untagged.

andrewrocks · ‎08-24-2011

Hi Gerald,

Thanks for this answer.

I think between your answer and Jon's answer I can assess the risks. I think for the short term I will run it as it currently is, but as soon as the budget allows I will install a none-NATing firewall between the WAN and the WAN VLAN.

Thank you for your feedback on this.

Andrew.

Having WAN and LAN traffice on the same switch in seperate VLANs?