01-25-2010 06:20 AM - edited 03-04-2019 07:17 AM
Hi All,
I have the following network design as below, I would like to know if there is any security constraints or issue for the traffic to hit the 4510 switch before the firewall, then going back to 4510 switch.
router(layer 3----- (trunk)cisco3750(switch port ----- (switch port access)cisco4510-module1(trunk) --- (layer 3 sub-int) FW (layer 3) -- (layer 3)4510-module-2
sub-interface) access)
Regards,
Solved! Go to Solution.
01-25-2010 06:39 AM
Hi,
What is the reason of placing the FW physically between module 1 & 2??
The 1st module is exposed to traffic attacks and not protected by the FW, the best approach is to have the FW placed in front of module 1.
HTH
Mohamed
01-25-2010 08:37 AM
noobieee7 wrote:
Hi Jon,
Thanks for the information. But would there be any security concern that you might foresee?
Regards,
No. other than the fact that you are using the same physical switch so there is always a chance of misconfiguration which could cause you security issues. There have been quite a few discussions on the pros and cons of having separate physical switches against using a chassis based switch and using vlans to segregate.
Using physical switches will pretty much always be more secure but it's perfectly acceptable to use a modular switch for this. As Mohamed said though, you cannot protect the 4500 chassis as well as if it was entirely behind the firewall.
If you do use the switch in this way then make sure you lock it down as much as possible. Certainly you need to look at the basics such as not using vlan 1 for any switchports/management etc. In case you haven't seen it here is a good paper on vlan security. It's for the 6500 but most of it will be relevant for the 4500 -
Jon
01-25-2010 06:32 AM
cisco router
(layer 3 sub-interface)
|
|
(trunk)
cisco3750
(switchport mode access per port per vlan)
|
|
(switchport mode access per port per vlan)
cisco4510-module1
(trunk)
|
|
(layer 3 sub-interface) (form point to point with the cisco router sub interface)
FireWall
(layer 3)
|
|
(layer 3)
4510-module-2
Regards,
01-25-2010 06:39 AM
Hi,
What is the reason of placing the FW physically between module 1 & 2??
The 1st module is exposed to traffic attacks and not protected by the FW, the best approach is to have the FW placed in front of module 1.
HTH
Mohamed
01-25-2010 07:06 AM
Hi Mohamed,
The constraint I have is that I need to allocate each customer a physical port between the 3750 and the 4510 module 1.
Alternatively I can have replace the 4510 module 1 with another 3750 but it is really not cost effective.
01-25-2010 07:32 AM
noobieee7 wrote:
Hi Mohamed,
The constraint I have is that I need to allocate each customer a physical port between the 3750 and the 4510 module 1.
Alternatively I can have replace the 4510 module 1 with another 3750 but it is really not cost effective.
Why do you have to allocate each customer a physical port on the 4500, what does it give you ?
Jon
01-25-2010 07:47 AM
Hi,
My upstream has this constraint of only able to provide bandwidth utilisation information for each customer via a physical port. The 3750 belongs to my upstream and the 4510 belongs to me.
01-25-2010 08:17 AM
noobieee7 wrote:
Hi,
My upstream has this constraint of only able to provide bandwidth utilisation information for each customer via a physical port. The 3750 belongs to my upstream and the 4510 belongs to me.
Okay. Then in answer to your question, as long as you do not create any L3 SVIs for the vlans in use on module 1 you should be fine ie. the L3 routed interfaces for the vlans in use on module 1 can only be on the firewall.
Edit - and obviously the vlans in use behind the firewall ie. on module 2 must be completely different vlans but as your firewall is L3 i'm assuming they are.
Jon
01-25-2010 08:23 AM
Hi Jon,
Thanks for the information. But would there be any security concern that you might foresee?
Regards,
01-25-2010 08:37 AM
noobieee7 wrote:
Hi Jon,
Thanks for the information. But would there be any security concern that you might foresee?
Regards,
No. other than the fact that you are using the same physical switch so there is always a chance of misconfiguration which could cause you security issues. There have been quite a few discussions on the pros and cons of having separate physical switches against using a chassis based switch and using vlans to segregate.
Using physical switches will pretty much always be more secure but it's perfectly acceptable to use a modular switch for this. As Mohamed said though, you cannot protect the 4500 chassis as well as if it was entirely behind the firewall.
If you do use the switch in this way then make sure you lock it down as much as possible. Certainly you need to look at the basics such as not using vlan 1 for any switchports/management etc. In case you haven't seen it here is a good paper on vlan security. It's for the 6500 but most of it will be relevant for the 4500 -
Jon
01-25-2010 08:42 AM
Hi Jon and Mohamad,
Many thanks for your assistance!
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: