Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

connecting core switch to the internet ?

Hi,

We have 2 6506's connected through an ether-channel trunk.

On these 6506's we have configured a vlan, vlan interface and 2 access ports for 2 ASA's.

These ASA's run in failover mode but only one ASA is physically connected at the moment.

We want to be more resilient so our provider has provided us with a redundant setup of routers for our internet connection.

However, for this construction they would need a layer 2 connection on our side to have HSRP running.

There are 2 options in my opinion :

- Buy a set of switches to facilitate the layer-2 connection between te routers and to connect the outside of the ASA's.

- Instead of buying 2 new switches, create a new unrouted vlan on our core 6506's and use access-ports for the routers and the ASA's.

But how safe is it to connected the core switch with an unrouted vlan to the internet router ?

In terms of vlan hopping or other possible attacks ?

I think i have to disable DTP, Spanning-Tree, CDP and maybe a lot more ?

Uitval Scenario's 2e internet lijn.jpg

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Super Bronze

connecting core switch to the internet ?

Hi,

I don't think that is an issue.  You have 2 border routers that face the provider's routers, which is a common setup.  You also have firewalls behind your core routers to protect the internals network.

HTH

Community Member

connecting core switch to the internet ?

If the router and ASA interfaces are all access ports then DTP and VLAN hopping wouldn't be a factor on those interfaces. Then the only place it could happen is in the trunk between the 6506's. That you can mitigate by preventing native (untagged) packets being sent on that link in either direction.

6 REPLIES
VIP Super Bronze

connecting core switch to the internet ?

Hi,

You don't need to buy a set of switches.  You just need a trunk port between core1 and core-2 6500 switches.  Then create 2 /29 subnets, one connects the 6500 core switches to the border router-1 and 2 with HSRP or VRRP and the other /29 connects the 6500 core switches to the firewall with VRRP or HSRP.

HTH

Community Member

connecting core switch to the internet ?

Hi Reza,

My main concern is security of the layer-2 port when connected to the router.

Any opinion about that ?

VIP Super Bronze

connecting core switch to the internet ?

Hi,

I don't think that is an issue.  You have 2 border routers that face the provider's routers, which is a common setup.  You also have firewalls behind your core routers to protect the internals network.

HTH

Community Member

connecting core switch to the internet ?

Hi,

And what about vlan hopping ? Because the 6506 between the router and firewall and the 6506 behind the firewall are the same devices.

Community Member

connecting core switch to the internet ?

If the router and ASA interfaces are all access ports then DTP and VLAN hopping wouldn't be a factor on those interfaces. Then the only place it could happen is in the trunk between the 6506's. That you can mitigate by preventing native (untagged) packets being sent on that link in either direction.

Community Member

connecting core switch to the internet ?

I am as far as applying this to secure the port :

switchport

switchport mode access

switchport access vlan X

switchport nonegotiate

spanning-tree bpdufilter enable

spanning-tree portfast edge

switchport port-security

switchport port-security maximum 3

switchport port-security violation restrict

no cdp enable

Any additions to this ?

1312
Views
0
Helpful
6
Replies
CreatePlease to create content