03-17-2015 07:53 AM - edited 03-07-2019 11:07 PM
i have a 48 port layer 3 switch and want to use
1- internet connectivity with the ISP as data center is giving 1/10 Gig termination port .
2- want to create Vlan on few ports that would be exposed to public
3- want to create vlan for internal use machines with dual Ethernet one exposed to public and other for internal use
3- want to make a dmz zone for some services like Email , DB want to host there . Firewall will use one ip from public vlan and other with DMZ. connected .
can say i want to use one switch to replace 3 switches and one router .
please recommend me any reservations on application level gateways or other anything .
Thx
Ali
Solved! Go to Solution.
03-17-2015 08:04 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Reservations:
Most small L3 switches might not have FW features nor might they support NAT.
03-17-2015 08:54 AM
Ali
Then I can only say what I have already said.
It is a very bad idea.
It doesn't matter that the switch is not doing any L3 routing between vlans, all internet traffic gets to your switch before it goes through any firewall so your switch has no protection from the internet.
You will always get better protection with different physical switches but at the very least you want a L2 switch (or L3 but no routing) to connect the ISP to the outside of your firewall in a dedicated vlan.
Then if you want you can have your internal network and the DMZs on the same switch because all traffic to any devices connected to this switch have to go through the firewall.
Even that is less secure than having different switches for your DMZ and internal networks but it is a design some people choose and is definitely a lot more secure than what you are proposing.
Jon
03-17-2015 08:03 AM
Ali
So you want to use one switch for the internal, DMZ and external vlans, is that correct ?
If so, put simply, don't do it.
Basically your switch is now exposed to the internet before traffic has to go through the firewall.
So even if they could not access the switch a simple denial of service to a public IP and all that traffic has to go through the switch before it gets to the outside interface of your firewall. And your entire network is sitting on this switch.
If I have misunderstood what you are trying to do then please clarify but from what you have described it is a very bad idea.
Jon
03-17-2015 08:25 AM
Dear Jon,
Actually
i want to host a SBC session boarder controller in this scenario i have layer 3 switch
1- which i want to use for internet connection
2- i will allocate 8 port to a vlan which will be exposed to internet
- SBC which is itself firewall enabled will expose to internet
- a watch gurad firewall will occupy ports and will exposed to internet all other internal network will be behind firewall but same time will use private Vlan say 8 ports .
3- server ports that use public ip yes they will be exposed .
you are right switch will be exposed to internet but vlans i am creating on it will no talk to each other and no inter vlan routing on it .
BSC do not need firewall
one firewall is there to hide remaining network
layer 2 Vlan are just using to save ports or more switches .
or i should use other switches instead this design
thx
ali
03-17-2015 08:28 AM
Ali
Does the ISP connection go to a switchport or directly into either the SBC of firewall ?
Jon
03-17-2015 08:39 AM
yes it goes to the switch port
Ali
03-17-2015 08:54 AM
Ali
Then I can only say what I have already said.
It is a very bad idea.
It doesn't matter that the switch is not doing any L3 routing between vlans, all internet traffic gets to your switch before it goes through any firewall so your switch has no protection from the internet.
You will always get better protection with different physical switches but at the very least you want a L2 switch (or L3 but no routing) to connect the ISP to the outside of your firewall in a dedicated vlan.
Then if you want you can have your internal network and the DMZs on the same switch because all traffic to any devices connected to this switch have to go through the firewall.
Even that is less secure than having different switches for your DMZ and internal networks but it is a design some people choose and is definitely a lot more secure than what you are proposing.
Jon
03-17-2015 08:04 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Reservations:
Most small L3 switches might not have FW features nor might they support NAT.
03-17-2015 08:12 AM
Joe
He has a firewall as mentioned in the original post.
But even if he didn't and even if the L3 switch supported firewall features and NAT it is still an incredibly bad idea.
Jon
03-17-2015 09:38 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
John I did see the FW mentioned in the OP, but the way it was worded, especially in context of the whole OP, it wasn't clear to me whether the FW was a separate device or whether the FW function was also desired on the same switch. In case the latter, I thought it worthwhile to mention that was another feature not found on many small L3 switches, although, of course, sometimes found on larger L3 switches.
03-17-2015 10:08 PM
HI,
inside firewall 10/100 FE =1
SBC = 2
SERVERS = 6-8
- problem is this SBC is not recommended behind firewall
- Wanted to save router or router with firewall ios will work i think
- firewall will be much expensive with 10 gig ports
Placing new 3850 with different modules some having 10 gig and some fibre .
ANy idea
THANKING IN ADVANCE
ali
03-18-2015 03:16 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm of a different mind then Jon, as I'm not as concerned about exposing your L3 switch to the Internet. However, I'm assuming you know how to "harden" it and also assume you realize that even a "hardened" switch, especially a LAN switch, might be more likely to have some exploit that can breach it.
When it comes to hardening your switch, besides the obvious need for ACLs to block traffic from going where it shouldn't, especially directed to the switch itself, you might also use private VLANs and/or VRF capabilites to further contain what's exposed to different ports and/or logical segments within your switch.
[edit]
PS:
Oh, BTW, I don't mean to make light of Jon's concerns. The additional risks of doing this are indeed real. Jon's mention of some DoS attacks can be especially difficult to deal with. Yet, again, if you understand this, and work to minimize the risk, what you desire to do might be acceptable for you, while not being acceptable for someone else.
03-18-2015 07:28 AM
You are asking the same question but expecting a different answer :-)
Firstly I assume you are never going to be audited because if you are this would never pass.
Joe and I disagree on this one (a rare occurrence !) but I can only stress that this is like running a cable direct from the internet to the core of your network. It doesn't matter that you have a firewall or SBC servers, the first point of contact is the switch which is hosting all your internal servers.
Apart from DoS any bug in your switch (and we see a number of issues with 3850s all the time on here) could mean it is has the potential to either crash taking down your entire network or, rather worse, allow traffic between vlans without having to go via the firewall.
The switch that connects to the ISP should be running minimal features, it only needs to switch traffic and that's it. But you are probably going to be running multiple features designed for LAN usage and with it you bring extra risks.
Firewalls are there to protect your internal infrastructure and so are designed to be secure, 3850 switches don't have the same requirements.
In the end, again as Joe says, it's up to you and you may never have any problems with it but it is not something I would ever consider doing.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide