Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Switches on Network Borders

Hi There,

Can somebody advise how secure is it to place a L2 switch on my network perimter? I heard that it is easy to flood a switch that's exposed to the internet but I'm not sure how accurate is this sentence because I'm aware that switches are not stateful devices so what concerns should I worry about when exposing my switch to the internet?

Thanks!

Haitham

3 REPLIES
Silver

Re: Switches on Network Borders

Keeping your switch located near the Internet is not a concern unless you have all your traffic on one VLAN. The main design concept here is to segment your traffic onto different VLAN's. This allows you scaleability and security. You need to isolate your Internet traffic to a VLAN (Not your native or management VLAN). Good Luck..Please rate...

New Member

Re: Switches on Network Borders

In many cases you can't avoid putting a layer 2 switch on the perimeter. You have your ethernet handoff from the provider and quite often you have other interfaces in this "dirty" network, such as VPN concentrators, IPS/IDS devices, etc. I am not quite sure how you can use VLANs since you typically have a public IP range that's all in the same subnet. I would recommend not putting an IP address on the switch and shuting down the management interface (vlan 1). In addition you can turn off unnecessary services like CDP, STP and SNMP in order to minimize your exposure. In terms of flooding your network your router (assuming you don't have a switched ethernet service) would most likely take the hit before your layer 2 switch would.

New Member

Re: Switches on Network Borders

Hi,

I don't want to use any VLANs on my border switch as I'm concerned if any vulnerability regarding VLAN security got exploited, it could cause bypassing my security layers and having access to my internal subnets. The scenario I have is a border router, switch and then 2 IPS units. The IPS should protect me from rate-based attacks but I was concerned if the switch or the border router will fail before the IPS even receives the traffic and protects my internal networks.

Regards,

Haitham

85
Views
0
Helpful
3
Replies
CreatePlease to create content