I would like to setup a new infrastructure with LAN 1 / LAN 2 / DMZ / WAN.
My question is concerning the DMZ part especially.
I think it is better to have 1 switch for LAN 1 and 2 using VLANs and another physical switch for DMZ.
Does anyone have best practices regarding the usage of another physical switch for DMZ (rather than using VLAN) ?
How can I justify the 2nd switch purchase ?
Thanks for your answer.
WAN means Internet in my case
DMZ is used for all servers which use Internet : FTP / Web / Proxy...
LAN 1/2 are used for our niternal subsidiary network : DB / DC / Mail...
Currently VLAN 1 is used for workstations, servers, printers and network devices... (This was done by the network admins at the beginning)
I have to find some documents (Best practices...) for me to justify the DMZ config (separate switch) when I will be in front of the management.
Have a look at that paper i sent. If everything is on vlan 1 currently that is good enough in my opinion to justify a separate DMZ switch.
In front of management don't blind them with technical talk about vlans etc. just make it clear that with the same switch for both the inside and DMZ all it takes is a misconfiguration or a bug and suddenly the firewall has been bypassed and there is a path from the Internet straight into the network.
If that doesn't get their attention then you're probably not going to win the fight.