Having a switch at edge of network

mzinzmzinz Member Posts: 328
in CCNA & CCENT
Is there anything fundamentally wrong with having a Layer 2 device at the edge of a network? I have a situation where two different firewalls need to be used. I could use a router instead - but what is the benefit?

http://i66.photobucket.com/albums/h278/tylerlucas/switches.jpg

Example above
_______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801
· Share on FacebookShare on Twitter

Comments

  • phreakphreak Member Posts: 170 ■■□□□□□□□□
    On your standard broadband connection you make a DMZ of sorts with that type of configuration.


    Modem/CPE
    |Switch|
    Router/Firewall device----LAN1
    |
    |
    Router/Firewall device----LAN2



    Those two separate routers are on two separate subnets
    · Share on FacebookShare on Twitter
  • mzinzmzinz Member Posts: 328
    phreak wrote:
    On your standard broadband connection you make a DMZ of sorts with that type of configuration.


    Modem/CPE
    |Switch|
    Router/Firewall device----LAN1
    |
    |
    Router/Firewall device----LAN2



    Those two separate routers are on two separate subnets

    I realize what's happening, I'm just wondering if it will work okay. Is there any fundamental reason that it won't function properly?

    Would it be bad because I have no layer 3 protection on my first device? IE: no ACL's in place until AFTER the switch?
    _______LAB________
    2x 2950
    2x 3550
    2x 2650XM
    2x 3640
    1x 2801
    · Share on FacebookShare on Twitter
  • phreakphreak Member Posts: 170 ■■□□□□□□□□
    I'd say its fine. Lock the device down so you cannot even log in using telnet. Nothing beats out-of-band management!
    · Share on FacebookShare on Twitter
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Yeah it's fine, just make sure you lock it down as much as possible, if you can upgrade the 2950 to a newer IOS that supports SSH and use that instead of telnet. Also use an ACL on the vty lines to prevent anyone other than yourself from connecting with SSH and use the "log" keyword so you know when people have connected (syslog if possible). Shut down all the extra interfaces that you are not using and stuff like that.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • mzinzmzinz Member Posts: 328
    dtlokee wrote:
    Yeah it's fine, just make sure you lock it down as much as possible, if you can upgrade the 2950 to a newer IOS that supports SSH and use that instead of telnet. Also use an ACL on the vty lines to prevent anyone other than yourself from connecting with SSH and use the "log" keyword so you know when people have connected (syslog if possible). Shut down all the extra interfaces that you are not using and stuff like that.

    Thanks for the help guys, much appreciated.
    _______LAB________
    2x 2950
    2x 3550
    2x 2650XM
    2x 3640
    1x 2801
    · Share on FacebookShare on Twitter
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Just to add to DT's post:-

    http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

    Cisco Feature navigator will help you find an img that supports SSH.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.