Or, even better, your services need authentication and authorization even on internal network, with some sort of SSO and/or federated authentication, so it actually doesn't matter where you are. Google's own BeyondCorp initiative works kind of this way.
Getting a route to the outside internet is not such a big deal; access to internal data is.
By the way: it's "amateur hour" if, as you say, that happens for a switch in a public/semipublic area in an office structure. On the contrary, I've seen a lot of "all-enabled" switches if those were accessible just from INSIDE the datacenter, where few people had access. It's not a really reasonable scenario.
Getting a route to the outside internet is not such a big deal; access to internal data is.
By the way: it's "amateur hour" if, as you say, that happens for a switch in a public/semipublic area in an office structure. On the contrary, I've seen a lot of "all-enabled" switches if those were accessible just from INSIDE the datacenter, where few people had access. It's not a really reasonable scenario.