More info on elimination of 7200 router and connection to 4500 core

Answered Question
May 8th, 2007

Let me just clarify one more point:

MyHeadQuarters controls Internet access, content filtering, etc as shown below:

(Internet Headquarters)-->[border router Headquarters]-->[firewall HeadQuarters]-->{DS-3 to MPLS provider}++MPLS Cloud++{<---Fiber to ChildCompany}<-ChildCompanyRouter7200 <-4500 Core Switch_ChildCompany

In this case, is it necessary to keep the ChildCompanyRouter7200 as a best practice?

Or instead I should just plug an eventual fiber/ethernet cable which will

replace the {T1 to MPLS provider} directly onto thte 4500 Core Switch_ChildCompany?

We discussed before that it is the best security practice to keep an edge router and not connecting

the "external" connection directly onto the core switch, because in case of DOS attacks, things may

look rough and unstable if plugged directly into the core switch. I totally agree.

However, in this case, to my understanding all my connectivity and filtering is done by MyHeadQuarter edge devices. Am I right or there are other risky factors I am missing here when connecting the ChildCompany to the WAN MPLS provider?

I have this problem too.
0 votes
Correct Answer by Paolo Bevilacqua about 9 years 7 months ago

As mentioned before, I think all boils down to where you run router-like features like NAT or FW, VPN if you have it.

The 4500 unlike the 6500/7600 does not have hardware modules to support these functions, in that case you need a router anyway.

But once again, as you don't need these at the child company, the switch alone will do. The internet has been firewalled / natted already at the headquarter, so there is no attack that you should worry about.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Paolo Bevilacqua Tue, 05/08/2007 - 13:43

But, to give things a size, what 7200 is yours? Anything less than NPE-400 is probably inadequate for fiber acess speeds.

news2010a Tue, 05/08/2007 - 14:11

If the design is right and keeping a router is recommended there, I can put NPE's/NSE's modules which should handle the fiber ethernet speed alright. You can assume that that is the case.

Correct Answer
Paolo Bevilacqua Tue, 05/08/2007 - 15:23

As mentioned before, I think all boils down to where you run router-like features like NAT or FW, VPN if you have it.

The 4500 unlike the 6500/7600 does not have hardware modules to support these functions, in that case you need a router anyway.

But once again, as you don't need these at the child company, the switch alone will do. The internet has been firewalled / natted already at the headquarter, so there is no attack that you should worry about.

Actions

This Discussion