Solved: DMZ design help

joshxworley · ‎03-01-2010

Currently, we are trying to decide on the best architecture for our DMZ.

We have an ASA 5520. Our DMZ zone is interface 1/3 on this ASA, and we are using subinterfaces to trunk for VLANs. The two VLANs within the DMZ never need to communicate with each other.

At one time, we used a layer 3 switch (3560G) and pointed servers in the DMZ to the 3560G as the gateway. Currently, there is a simple switch connected to the ASA on port 1/3, and the servers point to the respective sub-interface IP addresses for the gateway.

What would you suggest for this design? Is there a better method?

Jon Marshall · ‎03-01-2010

joshxworley wrote:

Currently, we are trying to decide on the best architecture for our DMZ.

We have an ASA 5520. Our DMZ zone is interface 1/3 on this ASA, and we are using subinterfaces to trunk for VLANs. The two VLANs within the DMZ never need to communicate with each other.

At one time, we used a layer 3 switch (3560G) and pointed servers in the DMZ to the 3560G as the gateway. Currently, there is a simple switch connected to the ASA on port 1/3, and the servers point to the respective sub-interface IP addresses for the gateway.

What would you suggest for this design? Is there a better method?

Joshua

What yo have now is far better than what you had with the 3560G switch. You do not want to route within a DMZ so having subinterfaces on the ASA is a far more secure solution. I'm assuming you are using subinterfaces because you don't have enough physical intefaces ? It doesn't really matter too much but bear in mind that with subinterfacesyou are actually spliting the bandwidth of the physical interface between mutiple vlans.

However as long as you are not getting any congestion issues then you should be fine,

Jon

View solution in original post

Jon Marshall · ‎03-01-2010

joshxworley wrote:

Currently, we are trying to decide on the best architecture for our DMZ.

We have an ASA 5520. Our DMZ zone is interface 1/3 on this ASA, and we are using subinterfaces to trunk for VLANs. The two VLANs within the DMZ never need to communicate with each other.

At one time, we used a layer 3 switch (3560G) and pointed servers in the DMZ to the 3560G as the gateway. Currently, there is a simple switch connected to the ASA on port 1/3, and the servers point to the respective sub-interface IP addresses for the gateway.

What would you suggest for this design? Is there a better method?

Joshua

What yo have now is far better than what you had with the 3560G switch. You do not want to route within a DMZ so having subinterfaces on the ASA is a far more secure solution. I'm assuming you are using subinterfaces because you don't have enough physical intefaces ? It doesn't really matter too much but bear in mind that with subinterfacesyou are actually spliting the bandwidth of the physical interface between mutiple vlans.

However as long as you are not getting any congestion issues then you should be fine,

Jon

joshxworley · ‎03-01-2010

Jon,

Thank you for the quick response. I'm confident in keeping the current design now since the amount of servers in the DMZ will be limited, thus bandwidth should not be a problem. I appreciate your insight and help. Thanks again.