Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
454
Views
20
Helpful
5
Replies

Questions

alsayed
Level 1
Level 1

ā€Ž05-18-2010 02:44 AM - edited ā€Ž03-06-2019 11:08 AM

Hi Guys

couple of questions pls

1)Why we dedicate switch for the outside

2) why we dedicate switch for the DMZ

Pls am looking for  explanation

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

ā€Ž05-18-2010 02:50 AM 

alsayed@litani.gov.lb
Hi Guys
couple of questions pls
1)Why we dedicate switch for the outside
2) why we dedicate switch for the DMZ
Pls am looking for  explanation

Ali

You don't have to dedicate switches ie. you can run the outside/dmz/inside on the same switch if you want but physical separation is always better. If you run them on the same switch then you are relying on vlans to keep everything separate and one misconfiguration or bug could allow traffic to bypass your firewall.

Having said that generally speaking i would be comfortable with having the DMZ and inside on the same switch as long as all security measure have been applied to the switch eg. don't use vlan 1 etc.. but i would still want a separate switch for the outside. But if i had the budget/switches i would always go with separate switches for an internet facing setup.

For a data centre setup where you are firewalling your servers from your internal users then you do not have to be so strict and indeed if you are using the FWSM in a 6500 chassis you end up with your outside/dmzs/inside on the same 6500 chassis anyway.

Jon

Ganesh Hariharan
VIP Alumni
VIP Alumni

ā€Ž05-18-2010 03:14 AM 

Hi Guys
couple of questions pls
1)Why we dedicate switch for the outside
2) why we dedicate switch for the DMZ
Pls am looking for  explanation

As Suggested by Jon we never dedicate switches for Outside or DMZ,we can achive the same task with single switch also.But as network design and future capacity planning with bandwidth and application usage with redundacny in mind designers used to have separate switches for each segments like Outside or DMZ.

Switches are dedicated with reference with server capacity and traffic flowing in and out from servers in network.So basiscally to have redundancy and to overcome single point of failure to have high performance we used to have separet switches with separet segments.

Hope to help !!

Ganesh.H

Jon Marshall
Hall of Fame
Hall of Fame
In response to Ganesh Hariharan

ā€Ž05-18-2010 03:25 AM

Ganesh

As Suggested by Jon we never dedicate switches for Outside or DMZ

this isn't actually what i said. I said that you can use the same switch for outside and DMZ and inside but that it was less secure than using separate switches. For a DC environment maybe more acceptable but for an internet facing setup i would still recommend at least a separate switch for the outside and if you have it a separate switch(es) for DMZ.

Jon

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to Jon Marshall

ā€Ž05-18-2010 03:29 AM 

Ganesh
As Suggested by Jon we never dedicate switches for Outside or DMZ
this
isn't actually what i said. I said that you can use the same switch for
outside and DMZ and inside but that it was less secure than using
separate switches. For a DC environment maybe more acceptable but for
an internet facing setup i would still recommend at least a separate
switch for the outside and if you have it a separate switch(es) for DMZ.
Jon

Jon,

It was my typo error actually we can use the same switch which you have already stated in your thread ....

Ganesh.H

alsayed
Level 1
Level 1
In response to Ganesh Hariharan

ā€Ž05-18-2010 06:11 AM

thanks a lot guys

by the way jon, congratultion for ur new gold start beside ur name

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card