05-08-2007 01:32 PM - edited 03-03-2019 04:53 PM
Let me just clarify one more point:
MyHeadQuarters controls Internet access, content filtering, etc as shown below:
(Internet Headquarters)-->[border router Headquarters]-->[firewall HeadQuarters]-->{DS-3 to MPLS provider}++MPLS Cloud++{<---Fiber to ChildCompany}<-ChildCompanyRouter7200 <-4500 Core Switch_ChildCompany
In this case, is it necessary to keep the ChildCompanyRouter7200 as a best practice?
Or instead I should just plug an eventual fiber/ethernet cable which will
replace the {T1 to MPLS provider} directly onto thte 4500 Core Switch_ChildCompany?
We discussed before that it is the best security practice to keep an edge router and not connecting
the "external" connection directly onto the core switch, because in case of DOS attacks, things may
look rough and unstable if plugged directly into the core switch. I totally agree.
However, in this case, to my understanding all my connectivity and filtering is done by MyHeadQuarter edge devices. Am I right or there are other risky factors I am missing here when connecting the ChildCompany to the WAN MPLS provider?
Solved! Go to Solution.
05-08-2007 03:23 PM
As mentioned before, I think all boils down to where you run router-like features like NAT or FW, VPN if you have it.
The 4500 unlike the 6500/7600 does not have hardware modules to support these functions, in that case you need a router anyway.
But once again, as you don't need these at the child company, the switch alone will do. The internet has been firewalled / natted already at the headquarter, so there is no attack that you should worry about.
05-08-2007 01:43 PM
But, to give things a size, what 7200 is yours? Anything less than NPE-400 is probably inadequate for fiber acess speeds.
05-08-2007 02:11 PM
If the design is right and keeping a router is recommended there, I can put NPE's/NSE's modules which should handle the fiber ethernet speed alright. You can assume that that is the case.
05-08-2007 03:23 PM
As mentioned before, I think all boils down to where you run router-like features like NAT or FW, VPN if you have it.
The 4500 unlike the 6500/7600 does not have hardware modules to support these functions, in that case you need a router anyway.
But once again, as you don't need these at the child company, the switch alone will do. The internet has been firewalled / natted already at the headquarter, so there is no attack that you should worry about.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide