Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

WAN trough LAN only secured by VLAN

Hello experts

Don't blame me for the following, I know this is not a good practice in any way and I should avoid that in all circumstances. But I only want to understand if my theory would work and maybe think about to use it in a home lab where I have a router/firewall appliance with only one physical port ... better don't ask why....

If I use the word safe in the following sentences, it is the meaning of nothing esoteric happens and I trust the firmware and that I don't misconfigure something.

Here the scenario:

I want the WAN (I mean the evil internet not a remote site) in a VLAN to connect through the core switch to a router/firewall which receives the tagged frames of that VLAN (let’s say 666). The firewall/router does his job and has the LAN interface on the same physical port in a different VLAN.

As I read in other discussions here and in some other forums, there are two main threads in this scenario.

1. VLAN hopping

2. What happens when the switch has a factory reset.

The first can be eliminated with a good configuration. So my question is related to the second one.

I thought about, what happens if the core switch resets due any reason to the factory defaults and the access port for the WAN gets default to be a trunk and would allow all traffic unfiltered to the whole LAN.

So here my hopefully working solution to minimize the risks.

Because the provider won't tag my WAN, I thought about to use a cheap VLAN capable switch between the WAN link and the core switch. The cheap switch just tags all WAN traffic with VLAN 666 and direct it to the core switch, which is on the port configured with VLAN666 tagged.

On the router/firewall the WAN interface has VLAN666 tagged and the LAN interface on a different VLAN.

Now my guess is, if the cheap switch has a factory reset the packages would come in untagged, but the core switch would block it because it only accepts VLAN 666 on this port.

If the main switch would have a factory reset, the VLAN 666 tagged frames from the WAN would be dropped on the port (could someone confirm this?).

So my summary about this would be as long as not both switches has an unplanned factory reset, then I should be on the "safe" side.

I hope someone could maybe give me some confirmations if this should work or maybe point me to a problem in my thought.

Everyone's tags (3)
CreatePlease to create content