How to create on routable VLAN

amisseri · ‎02-06-2007

It has been recommended to me to converge my internal network and public Internet into a single 6509 switch with FWSM. I was told to do it with VLANS and that it would have line speed performance. How can this be done?

albert.remo · ‎02-06-2007

Hi!

Good day! Depends on your resources but this link may be helpful.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802c5ba1.html

Hope this helps! ?

Regards,

Albert

Jon Marshall · ‎02-07-2007

Hi

You can do this but you need to be careful. If you have the internet facing DMZ and your internal network on the same switch chassis then a misconfiguration can easily lead to your internal network being exposed to the Internet.

Do you need line speed performance from the Internet ?. It's unlikely that you have that fast a connection.

If you do decide to do it you must make sure that your MSFC routed interfaces are all behind the FWSM. The vlan you create for the internet DMZ must have it's default gateway set to the FWSM. You must not create a layer 3 interface on the MSFC for your internet DMZ.

You also need to be aware that vlans do not give the same level of security as separate dedicated switches. It comes down to how much security you require, ie. what are you trying to protect and who would like to get to it.

Attached is a link to Cisco whitepaper on vlan security

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

HTH

Jon