I have a Catalyst 5500 with an RSM with a specific routing need.
VLAN 200 - Our ISP provider (Y.Y.Y.Y)
VLAN 202 - External Network (X.X.X.X)
VLAN 201 - Internal Network (10.0.0.0)
VLANS 10-15 - Various other Internal Networks (192.168.X.X)
Between our external and internal networks is a PC based Firewall whose internal NIC is set for 10.0.0.2, external NIC is X.X.X.226.
RSM is set up with all VLANS (internal/external/ISP) - default (0.0.0.0) gateway is set to our ISP (Y.Y.Y.Y)
What I need to do is point all my internal addresses to a default gateway of 10.0.0.2 (our Firewall Internal Interface) and our External Addressing to come in via our Firewall (X.X.X.226) with no bleed-over. Our Firewall handles all the NAT etc..
I thought this would be fairly simple to set up on the RSM - but I can't seem to figure it out - an example would be really helpful!
If what I'm reading is correct, I would say that the larger issue is security.
I read that you have one 5500 with several VLANs. Two of the VLANs (200 & 202) that connect to the 5500 are outside the firewall. The firewall is between two ports on the same 5500, each in a different VLAN.
The problem is that your 5500 is not protected and if it is compromised, your entire internal network is at risk.
I would suggest that the firewall be physically set between your ISP CPE device and your 5500. Also, that your DMZ (VLAN 202) be on a physically separate switch than your 5500 and connected through your firewall as a DMZ network.
Yes, that is correct, although our exterior feed is via ATM on our 5500 (we also have a WAN link to a remote campus via PVC over the same ATM blade) - the 5500 and RSM have a foot in both worlds. I realize that this is a less than secure setting, but with educational budgets being what they are, I have to try to make the best of this situation (security wise).
What I am trying to do is to prevent traffic from flowing inside to the outside without going through the Firewall and vice versa.
You should think of the 5500 as two switches. An external switch (VLAN 202) supporting the ISP, the exterior interface of the firewall and the RSM router. These devices should be on the y.y.y.y address range. Use a secondary if 216.223.88.x is a requirement. The interior switch (VLAN201) supports the interior interface of the firewall and the RSM router. Setting the default route to 10.0.0.2 will force all vlan10,11 and 12 Internet traffic through the firewall.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...