Questions

Unanswered Question
Jon Marshall Tue, 05/18/2010 - 02:50

[email protected]

Hi Guys

couple of questions pls

1)Why we dedicate switch for the outside

2) why we dedicate switch for the DMZ

Pls am looking for  explanation

Ali

You don't have to dedicate switches ie. you can run the outside/dmz/inside on the same switch if you want but physical separation is always better. If you run them on the same switch then you are relying on vlans to keep everything separate and one misconfiguration or bug could allow traffic to bypass your firewall.

Having said that generally speaking i would be comfortable with having the DMZ and inside on the same switch as long as all security measure have been applied to the switch eg. don't use vlan 1 etc.. but i would still want a separate switch for the outside. But if i had the budget/switches i would always go with separate switches for an internet facing setup.

For a data centre setup where you are firewalling your servers from your internal users then you do not have to be so strict and indeed if you are using the FWSM in a 6500 chassis you end up with your outside/dmzs/inside on the same 6500 chassis anyway.

Jon

Ganesh Hariharan Tue, 05/18/2010 - 03:14

Hi Guys

couple of questions pls

1)Why we dedicate switch for the outside

2) why we dedicate switch for the DMZ

Pls am looking for  explanation

As Suggested by Jon we never dedicate switches for Outside or DMZ,we can achive the same task with single switch also.But as network design and future capacity planning with bandwidth and application usage with redundacny in mind designers used to have separate switches for each segments like Outside or DMZ.

Switches are dedicated with reference with server capacity and traffic flowing in and out from servers in network.So basiscally to have redundancy and to overcome single point of failure to have high performance we used to have separet switches with separet segments.

Hope to help !!

Ganesh.H

Jon Marshall Tue, 05/18/2010 - 03:25

Ganesh

As Suggested by Jon we never dedicate switches for Outside or DMZ

this isn't actually what i said. I said that you can use the same switch for outside and DMZ and inside but that it was less secure than using separate switches. For a DC environment maybe more acceptable but for an internet facing setup i would still recommend at least a separate switch for the outside and if you have it a separate switch(es) for DMZ.

Jon

Ganesh Hariharan Tue, 05/18/2010 - 03:29

Ganesh

As Suggested by Jon we never dedicate switches for Outside or DMZ

this isn't actually what i said. I said that you can use the same switch for outside and DMZ and inside but that it was less secure than using separate switches. For a DC environment maybe more acceptable but for an internet facing setup i would still recommend at least a separate switch for the outside and if you have it a separate switch(es) for DMZ.

Jon

Jon,

It was my typo error actually we can use the same switch which you have already stated in your thread ....

Ganesh.H

Actions

This Discussion