Question on users connected to core switches (and future untrusted network)

Unanswered Question
Oct 13th, 2008

Hi, can you give me your insight regaqarding this design. Please see attached diagram with question. Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 10/13/2008 - 09:35


There is nothing inherently wrong with attaching users into your 6500 switches although in Cisco's hierarchical model users are often placed on separate access-layer switches.

So you have in effect collapsed access and distribution functions on the same switches. I can't see however how this would effect future placement of a firewall as you could quite easily place this between the 6500 and the 3845.

It is difficult to be precise without knowing more about your topology but if you did grant Internet access to users on the 6500 would the Internet pipe not actually be at your HQ site and firewalled anyway ?


news2010a Mon, 10/13/2008 - 09:53

Sorry if I did not explain correctly:

Currently the Internet access is granted thru the HQ and firewalled.

Then in the future, we may allow the local site to get access directly to the Internet. At that point as you pointed out I could place firewall between 6500 and 3845.

Just wanted to make sure.


Jon Marshall Mon, 10/13/2008 - 10:03

No problem.

Just for future referenceyou could just upgrade the 3845 IOS to run the Firewall feature set (CBAC) so you would'nt need an additional device.



This Discussion