I have a Switch that needs to be able to separate Internal and External IP traffic for Firewall/VPN.
SCENERIO: I have 2 Firewall/VPN devices and an Internet connection plugged into (what I'd like to consider) the External IP ports/VLAN of my switch. The internal ports of the Firewall/VPN devices, along with other equipment, are plugged into the internal ports/VLAN of the switch.
Basically, I have a 24 port switch that needs to have 12 ports on an Interal VLAN and 12 ports on an External VLAN. The Internal VLAN ports will be connecting to our LAN which contains many other VLAN's. What is the best configuration to separate the External from Internal ports on the switch, but still allow other VLAN traffic to flow through to the Firewall/VPN devices.
My security guy would be screaming "NO NO NO NO!" at me if I put this in front of him :-)
I would strongly recommend against using the same switch for outside and inside traffic, unless traffic has to pass through another external firewall first.
I would recommend instead to use either a completely separate switch for the outside, or in a pinch, create a DMZ port on your 5510, and connect your "MedTech VPN"s outside interface to that - negating the need for an outside switch altogether.
If you are dead set on using the switch in this method, then you will need to to:
a) Ensure that the switch IOS is kept up-to date.
b) Your external VLAN (e.g. 666) should be isolated on this switch - so any trunk links coming off this switch should be prevented from carrying vlan 666.
c) Switch VTP OFF so that 666 isn't even visible inside
I completely agree with you. Unfortunately, this ASA device is managed by another company for us. We were told that that using one of the ASA ports to plug in the Medtech VPN would not be possible. Were we miss-informed? I would like to use one of the ASA ports for the other VPN. It would simplify the entire design.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...