How would you configure this? VLAN, Tunnel, etc...

Answered Question
Feb 22nd, 2008

I have researched this quite a bit and am not able to find the right answer. I know other people are doing this but I might be over thinking it. Please look at my diagram. I am trying to extend a not so safe network across my Qwest MoE out to the internet with their own firewall and internet connection while keeping their traffic away from the corporate traffic.

I originally thought about extending the VLAN but I don't believe that you can or should extend them across routers or layer 3. My QMoE is essentially transparent at this point and will accept trunking if I wanted to do that though. I have several QMoE sites and am told that all traffic will traverse all sites however and that I shouldn't do that. Qwest offers their EVC solution which would set up a point to point link across their QMoE that would probably work but it comes at a cost.

Is there a way I could tunnel the dev traffic across the network or is that not the correct road to go down?

How do other people separate traffic and allow it to traverse private networks separated by routers?

Thanks for your help.

Attachment: 
I have this problem too.
0 votes
Correct Answer by Joseph W. Doherty about 8 years 9 months ago

If you don't permit the developer network egress except to the Internet nor allow inbound developer Internet traffic anywhere but to the developer network (i.e. both blocked by ACLs), I believe the risk is very low, just mixing traffic across an L3 transit. Realize, unless you have completely separate network infrastructures, you're already mixing traffic on the same device with VLANs and on the router connected to the two different firewalls. I.e. there's some risk to doing that, but again with proper network device security, generally very low.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joseph W. Doherty Fri, 02/22/2008 - 18:08

If your concern is directing the outbound traffic to the correct firewall, this could be done via policy based routing on the router with the firewall links. Inbound, route normally to the destination.

Do you have a concern about mixing traffic on a L3 transit link?

ryanparr9 Mon, 02/25/2008 - 08:25

Yes, the mixing of the traffic is my concern? Do I not need to be concerned about it or will the policy based routing be secure enough?

For instance, if their network was compromised by a virus or hacker, I need to make sure they are not able to access the corporate network.

Thanks!

Correct Answer
Joseph W. Doherty Mon, 02/25/2008 - 16:39

If you don't permit the developer network egress except to the Internet nor allow inbound developer Internet traffic anywhere but to the developer network (i.e. both blocked by ACLs), I believe the risk is very low, just mixing traffic across an L3 transit. Realize, unless you have completely separate network infrastructures, you're already mixing traffic on the same device with VLANs and on the router connected to the two different firewalls. I.e. there's some risk to doing that, but again with proper network device security, generally very low.

ryanparr9 Tue, 02/26/2008 - 14:12

I guess that would seem like a viable solution then and I will try to implement it. As for routing back into the the dev network, would I have to place routing policies on the opposite interface of the routing out policy?

Thanks!

Joseph W. Doherty Tue, 02/26/2008 - 16:45

Shouldn't need policies inbound, just ACLs to control where the packets are allowed.

E.g. inbound traffic from the dev firewall should only have a dev destination address. If not, drop it.

Actions

This Discussion