Why so many switches!

Unanswered Question
Nov 16th, 2008

In a typical architecture, where you would have front-end & bankend servers i.e. divided into DMZ1, DMZ2, INSIDE etc, single/dual Cat 6500 chassis is used with multiple vlans defined. And this is considered a common design.

However, when it comes down to separate switches, it is widely seen that switches are placed in every segment i.e. DMZ switch, INSIDE switch etc. Why is it so ? Why can't a single switch be divided into multiple vlans hosting all the segments like DMZ, INSIDE etc similar to Cat6500.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
mihanlin Sun, 11/16/2008 - 02:26


Typically separate switches are recommended for:

1. security. If you compromise one DMZ switch, the attacker will not have direct access to other DMZs

2. If all DMZ's were on one switch and it was experiencing problems, then it may affect all other DMZ's. i.e. if the control plane was affected by traffic patterns cauing high CPU, then control traffic on other vlans may be affected.

new_networker Sun, 11/16/2008 - 02:32


But then why is not the case with Cat 6500.

Rather we see deployments where all the segments are defined on single chassis with required VLANs such as frontend and backend servers.

mihanlin Sun, 11/16/2008 - 02:39

Where have you seen these designs for the 6500 in DMZ scenarios specifically? In any books, or just in company networks?

new_networker Sun, 11/16/2008 - 02:45

Company networks.


Two layered firewalls. First layer 2x ASA (IPS & Anti-X) and second layer FWSM on Cat 6500.

The front-end servers are on the inside to the ASA's which terminates on Cat 6500 switch module. The backend-end servers also terminate on the same Cat 6500 (different vlan) but behind FWSM (DMZ/INSIDE) & IDSM.

Is it secure ?

glen.grant Sun, 11/16/2008 - 03:18

It also makes it nightmare to try and troubleshoot any kind of problems when you have multiple layers going into and out of the same switch like that . You need ultra detailed network maps telling you where everything is and is going and in a lot of cases that is not done . It is a lot easier when you segment a layer like a dmz inside its own switch .

Edison Ortiz Sun, 11/16/2008 - 07:26

Is it secure ?

Secure, it is.

It does not provide a physical redundancy in your network. If that company adopted that design, budget had a lot to do with it.



new_networker Sun, 11/16/2008 - 08:17


The ASA's and 6500 chassis are in redundancy. There is no single point of failure.

Redundancy is not the issue but the quality/security of design.

Again, do you see any issue with the given topology in any terms. Be it security or performance or high-availability ?

Edison Ortiz Sun, 11/16/2008 - 17:27

There is no single point of failure.

One 6500 chassis? That's a single point of failure, regardless how many Supervisor this chassis has.

Again, do you see any issue with the given topology in any terms. Be it security or performance or high-availability ?

It's all about meeting customer requirements and those requirements are met but you do have a single chassis in the 6500 so there is a single point of failure.



new_networker Sun, 11/16/2008 - 21:45

I think I didn't make it quite clear.

There are dual chassis and dual ASA. All are deployed in Active/Passive mode. Any issues with the given design i.e. all frontend and backend servers terminating on the same ethernet module in Cat 6500's and segmented as stated above.


This Discussion