This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

L3 Switch acting as Internet router between /30 and routed subnet (outside of firewall)

L3 Switch acting as Internet router between /30 and routed subnet (outside of firewall)

Eric_Burke
New Contributor III

ā€Ž01-17-2018 01:20 AM

Looking for a "best practices" example using an EXOS switch acting as both a private network switch and an internet router. We have several deployed in this fashion, mostly where the ISP does not provide a router for the client's routed subnet. Instead, they give us a /30 which routes via the Extreme to the outside of our firewall.

Do you create a second virtual router or simply add the two outside VLANs to the default? We implement a policy which checks a list of subnets before allowing SSH to the management IP, but what else? Should we be doing more? Anyone have an example?

Thanks in advance!
BigRic
1 REPLY 1

Mel78__CISSP__E
New Contributor III

ā€Ž01-17-2018 01:39 AM

Of course the ideal case is to physically isolate your private switch with the outside L3 switch.

If constraint, the next better option is like you mention, using vrf. But, do note vr-router instances shares the same mac address, so they cannot be connected to a L2 switch. However, since you are using Firewall, which is looking at layer 3 and above, then it will not be an issue.

VLAN isolation is good only for layer 2. But againt, you must ensure there is no ipf enable for VLAN. To me, that is a risk of misconfiguration.

For SSH management, if possible use the out-of-band (OOB) management port. That port itself is also vr-Mgmt isolated. on EXOS platform.

The best practices are always defined and isolate the Data Plane, Mgmt. plane and Control Plane.

0 Kudos
GTM-P2G8KFN