L3 Switch acting as Internet router between /30 and routed subnet (outside of firewall)

Userlevel 4
Looking for a "best practices" example using an EXOS switch acting as both a private network switch and an internet router. We have several deployed in this fashion, mostly where the ISP does not provide a router for the client's routed subnet. Instead, they give us a /30 which routes via the Extreme to the outside of our firewall.

Do you create a second virtual router or simply add the two outside VLANs to the default? We implement a policy which checks a list of subnets before allowing SSH to the management IP, but what else? Should we be doing more? Anyone have an example?

Thanks in advance!

1 reply

Userlevel 3
Of course the ideal case is to physically isolate your private switch with the outside L3 switch.

If constraint, the next better option is like you mention, using vrf. But, do note vr-router instances shares the same mac address, so they cannot be connected to a L2 switch. However, since you are using Firewall, which is looking at layer 3 and above, then it will not be an issue.

VLAN isolation is good only for layer 2. But againt, you must ensure there is no ipf enable for VLAN. To me, that is a risk of misconfiguration.

For SSH management, if possible use the out-of-band (OOB) management port. That port itself is also vr-Mgmt isolated. on EXOS platform.

The best practices are always defined and isolate the Data Plane, Mgmt. plane and Control Plane.