Yes, commonly known as a backdoor, but with ACLs.

Sorry to ask another question but when you say public and private networks are you talking about the IP addressing ?

If so I assume  the firewall(s) currently handle the NAT so where would it be done if you bypass the firewall ie. assuming a Cisco switch, most cannot do NAT unless of course you are using a 6500 switch.

Jon

I'll draw up a picture.

All those VLANs are public Internet connections to tenants with their own public /30. That connects to their FW and they manage their own LAN behind it. The one tenant/Vlan in question is, VlanC and it's private side circled in red.

VlanC is the tenant public/Internet connection to their FW, then the inside LAN is behind the FW to a LAN switch, that LAN switch is connected back to the public switch, with a separate Vlan that also has another connection connecting another private LAN switch (on the same subnet/network), then on to private servers.

The whole red circled path is using the FW for any NATs.

So, that private LAN traffic transverses the WAN switch, where Publilc traffic is.

That is a crude drawing and shows none of the redundancy.

Okay think I follow now.

So you are simply connecting two private LANs for the same tenant together but via the public switch which is on the other side of the firewall.

In which case it comes down to how secure are vlans at segregating traffic and the answer depends on who you ask :)

But if I understand correctly no one from the internet can route to the private LANs because they are on private IPs so they would still have to go via the public IPs which means they would have to go via the firewall.

In which case I would personally not worry too much as the only risk I can see is if the switch itself is compromised which is unlikely I would  have thought.

If I have misread the diagram then by all means clarify.

Jon

Thanks for the replies Jon. It's not really two private LANs it would be the same LAN using the public switch for more switch ports.

And yes, the LAN in question would go through the FW for any public access/NAT.

I would do everything to keep the switch from being compromised of course since it's directly on the Internet. But in the event it was ever compromised each public Vlan could lose connectivity or some other malicious situation, but every single one of those private LANs data would be protected by their own firewalls and this one Vlan would be passing unprotected and unencrypted data across the compromised switch.

To me that seems like enough of a risk that an engineer would not design this in a customer's network. It also seems that no customer would want their unencrypted private data flowing across a public switch connected directly to the Internet.

I always ask myself if I would do that to my own network/data. In this case I would not. Would you?

Yes if the switch was compromised the data is not being protected by a firewall. 

And personally speaking I would not design it this way if given the choice and if you have the choice then I would say don't do it. 

But then you don't always have the choice so asking yourself whether you would do it or not is sometimes irrelevant. 

Jon