The perimeter router is typically a
standard router providing a serial connection to the outside world and a LAN
connection to the internal network. The perimeter router should provide any
filtering of outside traffic to implement basic security for the dirty DMZ and
preliminary filtering for the inside network. This device could be running the
firewall feature set for additional security options.
Because the perimeter router is often connected to a slower WAN
interface on one side and it doesn’t normally provide routing functions for
internal networks, the LAN interface speed isn’t as critical as making sure
adequate memory and features exist to handle the outside connection. Even if the
inside network is 100MB and all protected DMZ interfaces are full-duplex 100MB,
if the Internet connection is a T1 (1.54MB), then a 10MB LAN interface on the
perimeter router shouldn’t impede traffic. Even most DSL or cable connections
would be well below 10MB.
While bandwidth issues are important, feature sets are important
on perimeter routers. Routers clear down to the 800 series support access list,
firewall features, and so forth, making low-end devices attractive in some
perimeter implementations. If intrusion detection features are needed, though,
you should know that the firewall feature sets for devices below the 2600
devices don’t include them. So, while a 1700 or 2500 device might handle the
traffic, it won’t provide intrusion detection services.
The next chapter looks at the Cisco IOS firewall feature set and
the additional features it can add to the perimeter router.
cp5 eaves
Sections
Comments (0 posted)
Syndication
