Recently someone posted a question asking if a WAN port should be plugged directly into a switch, suggesting it could be a security risk and open the network up to DDOS attacks.
I'm curious what others have to say? At my last company we had 2 routers going into the wan connection (only because we had our own /24 ip space we were advertising to the carrier) and then both of these routers went into an 'outside' VLAN on our switch.
Current company - providers at main datacenter and DR site are giving us a default route. Our DR site has the WAN link going directly into the outside of our firewall. Our primary site has 2 ASAs in an HA config. We have an untrust VDC (Nexus 7K) within which is an 'untrust/outside' VLAN. The link with the ISP goes into a port on the untrust VLAN. In this VLAN we also have both ASAs, the primary and standby. We also have another ASA in this VLAN servicing the remote Cisco phones since we don't have MRA yet.
I'm curious what others' thoughts are and how else would we achieve the same result without plugging the WAN link into the switch? I suppose we could a router in front and then have some of the router links go into the outside VLAN?
No comments:
Post a Comment