cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
556
Views
0
Helpful
9
Replies

Network Design x

noobieee7
Level 1
Level 1

Hi All,

I have the following network design as below, I would like to know if there is any security constraints or issue for the traffic to hit the 4510 switch before the firewall, then going back to 4510 switch.

router(layer 3----- (trunk)cisco3750(switch port ----- (switch port access)cisco4510-module1(trunk) --- (layer 3 sub-int) FW (layer 3) -- (layer 3)4510-module-2

          sub-interface)                     access)                                                                                      


Regards,

2 Accepted Solutions

Accepted Solutions

Mohamed Sobair
Level 7
Level 7

Hi,

What is the reason of placing the FW physically between module 1 & 2??

The 1st module is exposed to traffic attacks and not protected by the FW, the best approach is to have the FW placed in front of module 1.

HTH

Mohamed

View solution in original post

noobieee7 wrote:

Hi Jon,

Thanks for the information. But would there be any security concern that you might foresee?

Regards,

No. other than the fact that you are using the same physical switch so there is always a chance of misconfiguration which could cause you security issues. There have been quite a few discussions on the pros and cons of having separate physical switches against using a chassis based switch and using vlans to segregate.

Using physical switches will pretty much always be more secure but it's perfectly acceptable to use a modular switch for this. As Mohamed said though, you cannot protect the 4500 chassis as well as if it was entirely behind the firewall.

If you do use the switch in this way then make sure you lock it down as much as possible. Certainly you need to look at the basics such as not using vlan 1 for any switchports/management etc. In case you haven't seen it here is a good paper on vlan security. It's for the 6500 but most of it will be relevant for the 4500 -

6500  vlan security

Jon

View solution in original post

9 Replies 9

noobieee7
Level 1
Level 1
Redraw out the diagram


cisco router

(layer 3 sub-interface)

     |

     |

(trunk)

cisco3750

(switchport mode access per port per vlan)

     |

     |

(switchport mode access per port per vlan)

cisco4510-module1

(trunk)

     |

     |

(layer 3 sub-interface) (form point to point with the cisco router sub interface)

FireWall

(layer 3)

    |

    |

(layer 3)

4510-module-2


Regards,

Mohamed Sobair
Level 7
Level 7

Hi,

What is the reason of placing the FW physically between module 1 & 2??

The 1st module is exposed to traffic attacks and not protected by the FW, the best approach is to have the FW placed in front of module 1.

HTH

Mohamed

Hi Mohamed,

The constraint I have is that I need to allocate each customer a physical port between the 3750 and the 4510 module 1.

Alternatively I can have replace the 4510 module 1 with another 3750 but it is really not cost effective.

noobieee7 wrote:

Hi Mohamed,

The constraint I have is that I need to allocate each customer a physical port between the 3750 and the 4510 module 1.

Alternatively I can have replace the 4510 module 1 with another 3750 but it is really not cost effective.

Why do you have to allocate each customer a physical port on the 4500, what does it give you ?

Jon

Hi,

My upstream has this constraint of only able to provide bandwidth utilisation information for each customer via a physical port. The 3750 belongs to my upstream and the 4510 belongs to me.

noobieee7 wrote:

Hi,

My upstream has this constraint of only able to provide bandwidth utilisation information for each customer via a physical port. The 3750 belongs to my upstream and the 4510 belongs to me.

Okay. Then in answer to your question, as long as you do not create any L3 SVIs for the vlans in use on module 1 you should be fine ie. the L3 routed interfaces for the vlans in use on module 1 can only be on the firewall.

Edit - and obviously the vlans in use behind the firewall ie. on module 2 must be completely different vlans but as your firewall is L3 i'm assuming they are.

Jon

Hi Jon,

Thanks for the information. But would there be any security concern that you might foresee?

Regards,

noobieee7 wrote:

Hi Jon,

Thanks for the information. But would there be any security concern that you might foresee?

Regards,

No. other than the fact that you are using the same physical switch so there is always a chance of misconfiguration which could cause you security issues. There have been quite a few discussions on the pros and cons of having separate physical switches against using a chassis based switch and using vlans to segregate.

Using physical switches will pretty much always be more secure but it's perfectly acceptable to use a modular switch for this. As Mohamed said though, you cannot protect the 4500 chassis as well as if it was entirely behind the firewall.

If you do use the switch in this way then make sure you lock it down as much as possible. Certainly you need to look at the basics such as not using vlan 1 for any switchports/management etc. In case you haven't seen it here is a good paper on vlan security. It's for the 6500 but most of it will be relevant for the 4500 -

6500  vlan security

Jon

Hi Jon and Mohamad,

Many thanks for your assistance!

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: