Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

DMZ Best practice question

I have a general question about a DMZ. Currently i have an ASA5520 with one physical interface dedicated to a DMZ network. On that interface i have subinterfaces for multiple DMZ Vlans. Is it better to have seperate VLANs for each DMZ server with their own set of ACLs or just put all of the DMZ servers into one DMZ Vlan? The reason i ask is because i am using /30 scopes for each DMZ server and now i am about to implement HA on 2 5520s and they require standby IPs...i'll have to rework their scopes and IPs.

3 REPLIES

Re: DMZ Best practice question

I've never heard of each server having their own DMZ. That would get expensive awfully quick! I can see the reasoning, but I have never seen it implemented. For me it would come down to whether or not the servers can trust each other (in a security sense) if they we're all in the same VLAN. If so, put them all in one VLAN. If not, keep breaking them out. We typically create a new one for each line of business or purpose.

Hope that helps.

New Member

Re: DMZ Best practice question

Since i'm using subinterfaces on the one ASA port and just trunking vlans into a seperate network there really isn't any cost impact. i guess it can go both ways. We have a mixture of VMs and Physical servers. I might just do two DMZs, one for physicals and one for VMs. IMO it wouold be more secure because each server would have their own unique ACLs. thanks for the advice!

Hall of Fame Super Blue

Re: DMZ Best practice question

cowetacoit wrote:

I have a general question about a DMZ. Currently i have an ASA5520 with one physical interface dedicated to a DMZ network. On that interface i have subinterfaces for multiple DMZ Vlans. Is it better to have seperate VLANs for each DMZ server with their own set of ACLs or just put all of the DMZ servers into one DMZ Vlan? The reason i ask is because i am using /30 scopes for each DMZ server and now i am about to implement HA on 2 5520s and they require standby IPs...i'll have to rework their scopes and IPs.

Agree with Collin, never seen it done and even without cost you can only split up an interface so much before you run out of bandwidth per vlan on that interface.

Have you considered looking into private vlans which would allow you to have just one or two dmz's but within eacl dmz you could control which server can communicate with which other servers ?

Jon

611
Views
0
Helpful
3
Replies
CreatePlease to create content