Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Can't get my head around this design

Please take a look at the attached image, or see here:  http://imgur.com/oSE9v.png

Basically, I want the DMZ network to be available on a vlan in every rack (with 4948 rack switches) in my small datacenter. I also want the DMZ to be easily accessible from the inner networks, but and ACL should control what the DMZ servers can get to on the inside.

Will the attached design work, or is this foolish?

Who advertises the DMZ network, the PIX or the 6500?

How do I keep the 6500 from routing packets between the inner networks and the DMZ?  The PIX should be the only thing that routes packets between those networks, right?

Everyone's tags (5)
2 REPLIES
Community Member

Re: Can't get my head around this design

Also, thanks Cisco for displaying my email address for spammers even though my profile says to hide it.

Hall of Fame Super Blue

Re: Can't get my head around this design

ppauly@imcpl.org

Please take a look at the attached image, or see here:  http://imgur.com/oSE9v.png

Basically, I want the DMZ network to be available on a vlan in every rack (with 4948 rack switches) in my small datacenter. I also want the DMZ to be easily accessible from the inner networks, but and ACL should control what the DMZ servers can get to on the inside.

Will the attached design work, or is this foolish?

Who advertises the DMZ network, the PIX or the 6500?

How do I keep the 6500 from routing packets between the inner networks and the DMZ?  The PIX should be the only thing that routes packets between those networks, right?

The L3 interface for the outside and DMZ interfaces must only be on the pix and not on the 6500 otherwise you will route around the firewall. So when you say who advertises the DMZ, that would be the pix although it does depend what you mean by advertise ie. you could have a static route on the 6500 for the DMZ servers pointing the pix DMZ interface. As long as there are no L3 SVIs on the 6500 for the DMZ and outside interface you should be fine.

As for whether it is fooolish, no not really. You do need to be careful because you have collapsed the outside/dmz/inside onto the 6500 chassis so a misconfiguration could open up a security hole. Using separate switches is always that little bit more secure but your design is perfectly valid.

Make sure when you configure your trunk links between the 6500 and the 4900 switches that you only allow the specific vlans you want ie. make sure you do not allow the outside vlan on the trunks. Often you find that a separate switch is used for the outside facing subnet ie. the subnet between the outside interface of the firewall and the upstream router. You don't have to but if you don't you need to be extra careful with your config.

Finally because you are really using vlans to provide security as opposed to physcially separate switches you need to be aware of vlan security issues and mitigate against them ie. turn off vlan 1 and don't use it, change your native vlan or tag the native vlan etc. See this link to doc about vlan security on Cisco 6500 switches, most of it is relevant to other switches as well -

6500 vlan security

Jon

437
Views
0
Helpful
2
Replies
CreatePlease to create content