Having a switch at edge of network

Is there anything fundamentally wrong with having a Layer 2 device at the edge of a network? I have a situation where two different firewalls need to be used. I could use a router instead - but what is the benefit?

http://i66.photobucket.com/albums/h278/tylerlucas/switches.jpg

Example above

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

phreak

On your standard broadband connection you make a DMZ of sorts with that type of configuration.

Modem/CPE

|Switch|

Router/Firewall device----LAN1
|
|

Router/Firewall device----LAN2

Those two separate routers are on two separate subnets

mzinz

phreak wrote:

On your standard broadband connection you make a DMZ of sorts with that type of configuration.

Modem/CPE
|Switch|
Router/Firewall device----LAN1
|
|
Router/Firewall device----LAN2

Those two separate routers are on two separate subnets

I realize what's happening, I'm just wondering if it will work okay. Is there any fundamental reason that it won't function properly?

Would it be bad because I have no layer 3 protection on my first device? IE: no ACL's in place until AFTER the switch?

phreak

I'd say its fine. Lock the device down so you cannot even log in using telnet. Nothing beats out-of-band management!

dtlokee

Yeah it's fine, just make sure you lock it down as much as possible, if you can upgrade the 2950 to a newer IOS that supports SSH and use that instead of telnet. Also use an ACL on the vty lines to prevent anyone other than yourself from connecting with SSH and use the "log" keyword so you know when people have connected (syslog if possible). Shut down all the extra interfaces that you are not using and stuff like that.

mzinz

dtlokee wrote:

Yeah it's fine, just make sure you lock it down as much as possible, if you can upgrade the 2950 to a newer IOS that supports SSH and use that instead of telnet. Also use an ACL on the vty lines to prevent anyone other than yourself from connecting with SSH and use the "log" keyword so you know when people have connected (syslog if possible). Shut down all the extra interfaces that you are not using and stuff like that.

Thanks for the help guys, much appreciated.

Pash

Just to add to DT's post:-

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Cisco Feature navigator will help you find an img that supports SSH.