Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
3
Replies

DMZ Best practice question

cowetacoit
Level 1
Level 1

‎02-11-2010 06:50 AM - edited ‎03-11-2019 10:07 AM

I have a general question about a DMZ. Currently i have an ASA5520 with one physical interface dedicated to a DMZ network. On that interface i have subinterfaces for multiple DMZ Vlans. Is it better to have seperate VLANs for each DMZ server with their own set of ACLs or just put all of the DMZ servers into one DMZ Vlan? The reason i ask is because i am using /30 scopes for each DMZ server and now i am about to implement HA on 2 5520s and they require standby IPs...i'll have to rework their scopes and IPs.

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎02-11-2010 07:00 AM

I've never heard of each server having their own DMZ. That would get expensive awfully quick! I can see the reasoning, but I have never seen it implemented. For me it would come down to whether or not the servers can trust each other (in a security sense) if they we're all in the same VLAN. If so, put them all in one VLAN. If not, keep breaking them out. We typically create a new one for each line of business or purpose.

Hope that helps.

0 Helpful

cowetacoit
Level 1
Level 1
In response to Collin Clark

‎02-11-2010 07:06 AM

Since i'm using subinterfaces on the one ASA port and just trunking vlans into a seperate network there really isn't any cost impact. i guess it can go both ways. We have a mixture of VMs and Physical servers. I might just do two DMZs, one for physicals and one for VMs. IMO it wouold be more secure because each server would have their own unique ACLs. thanks for the advice!

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎02-11-2010 01:33 PM 

cowetacoit wrote:
I have a general question about a DMZ. Currently i have an ASA5520 with one physical interface dedicated to a DMZ network. On that interface i have subinterfaces for multiple DMZ Vlans. Is it better to have seperate VLANs for each DMZ server with their own set of ACLs or just put all of the DMZ servers into one DMZ Vlan? The reason i ask is because i am using /30 scopes for each DMZ server and now i am about to implement HA on 2 5520s and they require standby IPs...i'll have to rework their scopes and IPs.

Agree with Collin, never seen it done and even without cost you can only split up an interface so much before you run out of bandwidth per vlan on that interface.

Have you considered looking into private vlans which would allow you to have just one or two dmz's but within eacl dmz you could control which server can communicate with which other servers ?

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card