02-11-2010 06:50 AM - edited 03-11-2019 10:07 AM
I have a general question about a DMZ. Currently i have an ASA5520 with one physical interface dedicated to a DMZ network. On that interface i have subinterfaces for multiple DMZ Vlans. Is it better to have seperate VLANs for each DMZ server with their own set of ACLs or just put all of the DMZ servers into one DMZ Vlan? The reason i ask is because i am using /30 scopes for each DMZ server and now i am about to implement HA on 2 5520s and they require standby IPs...i'll have to rework their scopes and IPs.
02-11-2010 07:00 AM
I've never heard of each server having their own DMZ. That would get expensive awfully quick! I can see the reasoning, but I have never seen it implemented. For me it would come down to whether or not the servers can trust each other (in a security sense) if they we're all in the same VLAN. If so, put them all in one VLAN. If not, keep breaking them out. We typically create a new one for each line of business or purpose.
Hope that helps.
02-11-2010 07:06 AM
Since i'm using subinterfaces on the one ASA port and just trunking vlans into a seperate network there really isn't any cost impact. i guess it can go both ways. We have a mixture of VMs and Physical servers. I might just do two DMZs, one for physicals and one for VMs. IMO it wouold be more secure because each server would have their own unique ACLs. thanks for the advice!
02-11-2010 01:33 PM
cowetacoit wrote:
I have a general question about a DMZ. Currently i have an ASA5520 with one physical interface dedicated to a DMZ network. On that interface i have subinterfaces for multiple DMZ Vlans. Is it better to have seperate VLANs for each DMZ server with their own set of ACLs or just put all of the DMZ servers into one DMZ Vlan? The reason i ask is because i am using /30 scopes for each DMZ server and now i am about to implement HA on 2 5520s and they require standby IPs...i'll have to rework their scopes and IPs.
Agree with Collin, never seen it done and even without cost you can only split up an interface so much before you run out of bandwidth per vlan on that interface.
Have you considered looking into private vlans which would allow you to have just one or two dmz's but within eacl dmz you could control which server can communicate with which other servers ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide