need suggestion on routing/ACL and risk of Intervlan hopping on DMZ

Unanswered Question
May 15th, 2008

6500 with 21 vlans.

1 vlan is DMZ

Currently, 6500 forwards all traffic to Firewall which handles the Intervlan traffic.

This needs to be changed so the 6500 does the intervlan routing.

Although, about this DMZ, I need the traffic to be handled by the firewall. Also, internal vlans may need to go to the DMZ and vice versa.

How would I set this up so that I limit the potential security risk of intervlan hopping from DMZ to other internal vlans?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
t814687 Thu, 05/15/2008 - 08:45

Your DMZ VLAN has to be L2 Vlan on 6500 that will be routed through the firewall to communicate to the rest of L3 Vlans for the LAN you going to configure on MSFC of 6500. Create a transit VLAN between your FW and 6500 and DMZ <-> LAN traffic will be controlled by your firewall. Make sure your DMZ Vlan is L2 only on your switch.

Hope this helps


pipsadmin Thu, 05/15/2008 - 08:52

so your saying to NOT put a vlan interface IP on the DMZ, then assign the gateway ip of DMZ to the firewall from a switchport assigned to vlan DMZ?

t814687 Thu, 05/15/2008 - 09:05


the idea here is to route DMZ traffic from the LAN to the firewall, so what I'm suggesting is to create VLAN interfaces on the 6500 for the LAN VLANs, create a new Transit VLAN (VLAN interface with a new transit subnet). Your firewall will have 2 L2 connections to the switch (DMZ and Transit). Then on 6500 you configure a static route pointing to the FW transit vlan interface IP to route traffic for DMZ.

On the firewall you would need static route for LAN subnets to point to your switch transit vlan interface IP.

I hope this clarifies the idea.


pipsadmin Thu, 05/15/2008 - 09:20

hmmmm... Can you explain it with a config example?

My vlans right now are as follows(dmz is vlan100):

Gateway of last resort is not set is subnetted, 1 subnets

C is directly connected, Vlan265 is subnetted, 1 subnets

S [1/0] via is subnetted, 1 subnets

C is directly connected, GigabitEthernet12/41 is variably subnetted, 7 subnets, 2 masks

C is directly connected, Vlan601

C is directly connected, Vlan600

C is directly connected, Vlan108

C is directly connected, Vlan1

C is directly connected, Vlan102

C is directly connected, Vlan104

C is directly connected, Vlan106

C is directly connected, Vlan100

t814687 Thu, 05/15/2008 - 09:50

I'm not sure where your Internet connection is so here we are talking about firewalling DMZ and LAN only. I assume your Internet connection is direct to the firewall and not through the switch. Here is what I'm suggesting:

1) Create interface VLAN 10 with IP address of

This is your transit VLAN

2) assign a switch port to VLAN 10

connect a spare port on your firewall to that swicthport and assign to firewall interface

3) remove VLAN interface 100 from the switch

4) now your firewall have 2 connections to the swicth - DMZ and Transit. Only Transit is routable.

5) on the switch configure static route

ip route

6) on the firewall add static routes to

10.98.x.x, 10.1.x.x subnets to route to

for the traffic to the internet you might want to set up a default route to, but again I'm not sure about your internet connectivity

now you have your DMZ is behind the firewall and traffic is controlled by the FW


pipsadmin Fri, 05/16/2008 - 03:28

Ok, now I understand...

Our internet comes on 2 links (multihomed BGP with HSRP) so the vlans are 242 and 221.

Theses 2 Vlans do not have a vlan interface.

242 is the BGP on the inside of both routers. 221 is the outside of 1 of the routers because we have some systems on that vlan for testing.

So I will setup a visio drawing, and show you to see if this is ok.


This Discussion