when designing DMZ we usually put a dedicated L2 switch for connectivity between firewall interfaces and public servers...
and we create vlans in this switch according to DMZ..
what risk can be found if i create these L2 vlans in our collapsed distribution switch (i will not create SVI for these vlans)?
The risk is that a misconfiguration of the distribution switch can lead to the firewall being bypassed. There are also issues with things like vlan-hopping etc. It all comes down to how secure is it to rely purely on vlans to segregate traffic rather than physical switches.
Personally in a Data centre environment where you may be firewalling from your internal users i have no problems with using a chassis based switch to create the DMZs and if you are using something like the FWSM you end up doing this anyway. With an internet facing setup i don't have an issue with using one chassis for all DMZs but i still would feel uncomfortable using the same chassis for internal vlans as well. That is just my opinion though as i have seen designs where this is done.
If you do decide to do this you shoud follow the best practices for securing your switches ie. don't use vlan 1, if you do use a native vlan then make it a non-routable vlan with no ports allocated into it etc.. If you haven't seen this paper before have a read as a lot of it applies to all Catalyst switches -
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...