Datacenter upstream connection

aa · ‎07-09-2008

Hope someone can make a recommendation:

What is the best practice for the upstream connection at an Internet datacenter colo?

The connection from the ISP is an ethernet cable.

One option is to use a catalyst switch with a routed port. Traffic would then be routed to an ASA firewall.

Another option is to use the ASA directly as the edge device to connect directly to the ISP.

Which do you think is better?

ralphcarter · ‎07-09-2008

I would personally have the connection from the ISP connect to a switch. Create a vlan on this switch. Put the outside firewall and the ISP connection into this vlan.

1. You maintain physical security

2. You can utilize this switch for failover & stateful failover

3. You can also use this switch for DMZ connections and keep it totally from the inside environment.

4. You can also terminate other ISP connections on this switch.

CCIE 26175
www.techsnips.com

aa · ‎07-09-2008

Thanks for the reply.

So you are suggesting that the firewall be chosen as the edge device to the upstream provider.

Putting the interfaces in the same vlan or directly connecting them are essentially the same thing from an architecture perspective.

I tried to keep the description simple by excluding talk of vlans.

The heart of my question is whether a firewall port should be the edge device (route for ISP to send packets) or whether a switch routed port or svi should be the edge interface.

Thanks again.