I have a Switch that needs to be able to separate Internal and External IP traffic for Firewall/VPN.
SCENERIO: I have 2 Firewall/VPN devices and an Internet connection plugged into (what I'd like to consider) the External IP ports/VLAN of my switch. The internal ports of the Firewall/VPN devices, along with other equipment, are plugged into the internal ports/VLAN of the switch.
Basically, I have a 24 port switch that needs to have 12 ports on an Interal VLAN and 12 ports on an External VLAN. The Internal VLAN ports will be connecting to our LAN which contains many other VLAN's. What is the best configuration to separate the External from Internal ports on the switch, but still allow other VLAN traffic to flow through to the Firewall/VPN devices.
My security guy would be screaming "NO NO NO NO!" at me if I put this in front of him :-)
I would strongly recommend against using the same switch for outside and inside traffic, unless traffic has to pass through another external firewall first.
I would recommend instead to use either a completely separate switch for the outside, or in a pinch, create a DMZ port on your 5510, and connect your "MedTech VPN"s outside interface to that - negating the need for an outside switch altogether.
If you are dead set on using the switch in this method, then you will need to to:
a) Ensure that the switch IOS is kept up-to date.
b) Your external VLAN (e.g. 666) should be isolated on this switch - so any trunk links coming off this switch should be prevented from carrying vlan 666.
c) Switch VTP OFF so that 666 isn't even visible inside
I completely agree with you. Unfortunately, this ASA device is managed by another company for us. We were told that that using one of the ASA ports to plug in the Medtech VPN would not be possible. Were we miss-informed? I would like to use one of the ASA ports for the other VPN. It would simplify the entire design.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...