nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Having a switch at edge of network

mzinz

Is there anything fundamentally wrong with having a Layer 2 device at the edge of a network? I have a situation where two different firewalls need to be used. I could use a router instead - but what is the benefit?

http://i66.photobucket.com/albums/h278/tylerlucas/switches.jpg

Example above

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

phreak

On your standard broadband connection you make a DMZ of sorts with that type of configuration.

Modem/CPE

|Switch|

Router/Firewall device----LAN1
|
|

Router/Firewall device----LAN2

Those two separate routers are on two separate subnets

mzinz

phreak wrote:

On your standard broadband connection you make a DMZ of sorts with that type of configuration.

Modem/CPE
|Switch|
Router/Firewall device----LAN1
|
|
Router/Firewall device----LAN2

Those two separate routers are on two separate subnets

I realize what's happening, I'm just wondering if it will work okay. Is there any fundamental reason that it won't function properly?

Would it be bad because I have no layer 3 protection on my first device? IE: no ACL's in place until AFTER the switch?

phreak

I'd say its fine. Lock the device down so you cannot even log in using telnet. Nothing beats out-of-band management!

dtlokee

Yeah it's fine, just make sure you lock it down as much as possible, if you can upgrade the 2950 to a newer IOS that supports SSH and use that instead of telnet. Also use an ACL on the vty lines to prevent anyone other than yourself from connecting with SSH and use the "log" keyword so you know when people have connected (syslog if possible). Shut down all the extra interfaces that you are not using and stuff like that.

mzinz

dtlokee wrote:

Yeah it's fine, just make sure you lock it down as much as possible, if you can upgrade the 2950 to a newer IOS that supports SSH and use that instead of telnet. Also use an ACL on the vty lines to prevent anyone other than yourself from connecting with SSH and use the "log" keyword so you know when people have connected (syslog if possible). Shut down all the extra interfaces that you are not using and stuff like that.

Thanks for the help guys, much appreciated.

Pash

Just to add to DT's post:-

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Cisco Feature navigator will help you find an img that supports SSH.