Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1021
Views
0
Helpful
1
Replies

Using ports on core switch to split ISP connections?

2ndcongress
Level 1
Level 1

‎05-24-2017 11:08 AM - edited ‎03-08-2019 10:43 AM

Posting to ask for advice on a switching/security question. 

We have a datacenter with two ISP's.  We want to split the ISP connections so that we can effectively share these ISP connections at the outside edge of our network.  I have done this in the past by using a dedicated 3750 switch to create two sets of L2 access switch ports in separate VLANs (one for each ISP) and it worked great. 

In this particular circumstance, we want to accomplish the same thing using dedicated L2 VLANs on our 3850 core stack.  Why? 1) The 3850 ports on the core switch are the fastest, most resilient switch port available; 2) Doing so would be substantially less expensive than dedicating two, 10-gig capable switches for this; and 3) The current ISP hand-off's are 1-Gig and we want the ability to upgrade them to 10-Gig in the future without having to swap out (dedicated ISP access) switches in the future.

Have read a number of great posts on this subject however in most cases the original poster intended to have traffic flow *through* the core switch in one way or another.  What we are contemplating here is to simply carve out some ports on the core switch and use them as if they were small, dedicated switches.  For each ISP we would have the following:  A VLAN dedicated to each ISP and not used anywhere else. The VLANs would not be configured with an IP address.  The ports in each VLAN would be configured as "switchport mode access."

Would this raise flags in a security audit?  It doesn't seem VLAN hoping would be possible, and there are no trunk-related vulnerabilities because there are no trunks.  There will be ASA firewalls downstream capable of DoS detection and blocking.  We have BGP, so if there is a serious problem with one ISP, traffic will flow to the other.  So what damage could someone on the outside possibly do to the core switch in this case?

I would really appreciate thoughts or suggestions for alternative ways to accomplish this on a 3850 stack with IP-Base.

Attached is a diagram of the proposed configuration.

Many thanks.

1 person had this problem
Labels:
Preview file
58 KB
0 Helpful
1 Reply 1

jonathan.cuthbert
Level 5
Level 5

‎05-24-2017 11:26 AM

This would be best accomplished with TrustSec/SGTs. 

However, this would require an implementation of ISE and no small amount of Change Windows.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card