Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Silver

design/risk

when designing DMZ we usually put a dedicated L2 switch for connectivity between firewall interfaces and public servers...

and we create vlans in this switch according to DMZ..

what risk can be found if i create these L2 vlans in our collapsed distribution switch (i will not create SVI for these vlans)?

1 REPLY
Hall of Fame Super Blue

Re: design/risk

ohassairi wrote:

when designing DMZ we usually put a dedicated L2 switch for connectivity between firewall interfaces and public servers...

and we create vlans in this switch according to DMZ..

what risk can be found if i create these L2 vlans in our collapsed distribution switch (i will not create SVI for these vlans)?

The risk is that a misconfiguration of the distribution switch can lead to the firewall being bypassed. There are also issues with things like vlan-hopping etc.  It all comes down to how secure is it to rely purely on vlans to segregate traffic rather than physical switches.

Personally in a Data centre environment where you may be firewalling from your internal users i have no problems with using a chassis based switch to create the DMZs and if you are using something like the FWSM you end up doing this anyway. With an internet facing setup i don't have an issue with using one chassis for all DMZs but i still would feel uncomfortable using the same chassis for internal vlans as well. That is just my opinion though as i have seen designs where this is done.

If you do decide to do this you shoud follow the best practices for securing your switches ie. don't use vlan 1, if you do use a native vlan then make it a non-routable vlan with no ports allocated into it etc..  If you haven't seen this paper before have a read as a lot of it applies to all Catalyst switches -

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

Using separate switches will, in my opinion, always be more secure but that doesn't mean it is the only way to do it.

Jon

131
Views
0
Helpful
1
Replies