Done a lot of research and it’s all kind of confusing. Some switches are also firewalls, most firewalls seems to be routers, with or without their own switches, but they’re all different depending on the manufacturer. Hence I now ask for advice here!
My problem:
I have two ports that give access to two subnets of public IPs.
What I want is to be able to connect servers to them and run ipfilter as a firewall, but some I would want to block traffic to depending on IP, before delivering packets to the machine that is.
Now, cisco layer 3 switches seems to have this functionality (ACL:s is what they call the firewall functionality right?). I have administered cisco ACL:s before through CLI on cisco pix (long time ago) so I guess it’s about the same.
Would I be able to connect such a switch to my two subnet ports so that machines connected to the switch can all steal ip-adresses from any of the subnets?
The network units I don’t want exposed directly to the WAN are all remote access controllers, known to be full of security holes. Perhaps it would be better to have a “dumb” switch and then a cheap router in front of these interfaces instead of an advanced switch with firewall functionality?
This is to be a small business network with 2-4 servers, possibly growing just a bit. Any other ideas than what I describe above are welcome!
Answer
so you have two /8 networks from your ISP (one for each of the two ports).
a /8 is a huge network, I wonder why you get such a large address space, but anyway.
if you have two separate ip addresses on two separate ports if you want to setup a firewall and then have some of the same ip seriesd behind the network, then you should split your two subnets in two, so that part of it is outside the firewall, and part of it is inside your firewall. (that is what I would have done at least).
I am a juniper guy, so I would have used something like a SRX100 (provided not much traffic is needed), then setup at least 3 different zones in the network
1. RED1 = x.x.x.x/9
2. RED2 = y.y.y.y/9
3. GREEN = x.x.x.B/9 and also y.y.y.C/9
Where B and C are the network number after you split from 8 to 9 (use subnet calculator to find what network that is).
that way any server on your GREEN (protected) network could take a network address from either of the two ip series.
Attribution
Source : Link , Question Author : Nomad , Answer Author : Sverre
