DMZ design question

Unanswered Question
Dec 16th, 2008
User Badges:

Do others separate Server hardware in the DMZ from the inside? We use a separate Internet router, separate DMZ servers. But do we allow DMZ servers to share internal HW.

Example A: Blade chassis with servers (WEB) running on VLANS in the DMZ and other servers (App & DB) running on VLANS in the internal network / data center? But all in one chassis.

Example B: Dedicated DMZ Server with SAN disk space on the inside SAN that supports the entire inside data center?

Has anyone come across papers / best practices or policy about this type of HW mixing?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Tue, 12/16/2008 - 11:03
User Badges:
  • Cisco Employee,


Off late, I have seen a lot of implementations using VLAN for separating the zones and using the same switch. As far as you have tight control to the the device, strict change control process, auditing, Best Practices, up to date software updates on Security Advisories, etc, you should be fine using VLANs. Also, one important factor that is going to drive your decision is the companies "Security Policy".

With that said, below are some white papers that you might find useful.

VLAN Security White Paper

Data Center Architecture Overview

Also, check out the the Data Center Sectiion of "Cisco Validated Design" for some good information.



*Pls rate if it helps*


This Discussion