I have additional switches, that is not the issue, but I was thinking more on the line of "best practice", should DMZ devices be on a separate (physical) switch in addition to have logical separation from the core. Our core switches (6509's) are redundant from a routing, switching, power etc. point of view, and if we allocate a dedicate switch for a DMZ (say a CAT3750) we will loose out on all this redundancy.

As we have multiple sites, I would like to inquire if it is feasible to have DMZ redundancy between two different sites. So if one DMZ goes down that the other DMZ in a different site will kick in.. but that's a big one and I think I need to do some more research there.

Best Practices for a Network Engineer is to put the VLAN on the core, for a Security Engineer it's best to put them on separate switches. At most of my clients I see the DMZ on a VLAN. The second question really depends on a lot of things, if you can provide more detail, we might be able to help.

You can still have redundancy, depending upon your infrastructure. You have not told us what you have for a firewall, but if it's a PIX/ASA (or similar), this may not be as easy to do. If it's a FWSM in a 6500 or 7600, then it's very easy.

PIX/ASA would be best if you were using a failover configuration. Place a switch off each. Link the two switches and let Spanning-tree resolve loops.

With a FWSM, create a DMZ VLAN on the host and assign the switch uplink interfaces to the VLAN. It will also make it safer if you place the VLAN in a VRF as the only interface. This will eliminate any inside directly to the DMZ connections. This is the current scenarion I have implemented in our DC. It was also necessary not only for redundancy but due to the physical architecture we have in place. We have rows of servers. Once for Microsoft OS and another for Unix/AIX OS. I needed switches in each row.

I attached a diagram of what I am looking to do. Basically I plan to have an active\standby firewall (ASA5520) with an outside, inside and DMZ interface in two different sites with a a private WAN connecting the two. The sites are also connected to the Internet and I would like to the DMZ segments to be redundant to one another using some dynamic routing protocol. The diagram explains this better, I am uncertain if this is feasible though.

What do you think?

Are you running BGP for internet redundancy? What type of services are you hosting?

I am not running BGP for Internet redundancy, our Internet circuits are not redundant (yet), though we do want to have DMZ redundancy such that if a DMZ server goes down (but Internet is still up), then the backup DMZ will kick in. Instead of running EGP on the Internet side, I would like to run IGP on the inside across the private WAN.

The services we are running are FTP, SMTP and some WWW servers.

SMTP is easy to make redundant as we can control the MX records coming from the Internet. However if the FTP or IRONPORT server goes down we would like the backup DMZ to be notified via the private WAN and become active.

If there is a better way of doing it, please let me know, I am open for suggestions.

Any specific reason why two different physical locations for the DMZs (other than looking at redundancy)? What I mean is, is there a single point of failure somewhere between you and the internet through the carrier? Is there a reason you can't build a highly redundant solution at one site? How far apart are the 2 sites from each other?

One site is our data center and the other one is engineering and development. They are about 15KM apart from one another, however we have a private\dedicate WAN cloud between them.

I would like to make it as redundant as possible, ie. geographical redundancy as well as logical redundancy within the same site.

For now, I would like to ensure that if one server goes down in one site, internal routing will kick in and the server in the other location will become active.

Are you looking for just server redundancy, meaning if Site 1 FTP Server goes down, the firewalls (in Site 1 & Site 2) should now point to Site 2 FTP Server?

The real kicker is two sets of firewalls using the same public address space, but in different locations. They should have the same NAT translation, but can't so that's another problem. You might have to put load balancers in front. I've attached a diagram that should help. The one part I'm not sure about is the Content Switch fail-over, that would have to be explored. You can put the Content Switches and FWs in a 6500 chassis to save money.