Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DMZ design help

Currently, we are trying to decide on the best architecture for our DMZ.

We have an ASA 5520. Our DMZ zone is interface 1/3 on this ASA, and we are using subinterfaces to trunk for VLANs. The two VLANs within the DMZ never need to communicate with each other.

At one time, we used a layer 3 switch (3560G) and pointed servers in the DMZ to the 3560G as the gateway. Currently, there is a simple switch connected to the ASA on port 1/3, and the servers point to the respective sub-interface IP addresses for the gateway.

What would you suggest for this design? Is there a better method?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: DMZ design help

joshxworley wrote:

Currently, we are trying to decide on the best architecture for our DMZ.

We have an ASA 5520. Our DMZ zone is interface 1/3 on this ASA, and we are using subinterfaces to trunk for VLANs. The two VLANs within the DMZ never need to communicate with each other.

At one time, we used a layer 3 switch (3560G) and pointed servers in the DMZ to the 3560G as the gateway. Currently, there is a simple switch connected to the ASA on port 1/3, and the servers point to the respective sub-interface IP addresses for the gateway.

What would you suggest for this design? Is there a better method?

Joshua

What yo have now is far better than what you had with the 3560G switch. You do not want to route within a DMZ so having subinterfaces on the ASA is a far more secure solution. I'm assuming you are using subinterfaces because you don't have enough physical intefaces ? It doesn't really matter too much but bear in mind that with subinterfacesyou are actually spliting the bandwidth of the physical interface between mutiple vlans.

However as long as you are not getting any congestion issues then you should be fine,

Jon

2 REPLIES
Hall of Fame Super Blue

Re: DMZ design help

joshxworley wrote:

Currently, we are trying to decide on the best architecture for our DMZ.

We have an ASA 5520. Our DMZ zone is interface 1/3 on this ASA, and we are using subinterfaces to trunk for VLANs. The two VLANs within the DMZ never need to communicate with each other.

At one time, we used a layer 3 switch (3560G) and pointed servers in the DMZ to the 3560G as the gateway. Currently, there is a simple switch connected to the ASA on port 1/3, and the servers point to the respective sub-interface IP addresses for the gateway.

What would you suggest for this design? Is there a better method?

Joshua

What yo have now is far better than what you had with the 3560G switch. You do not want to route within a DMZ so having subinterfaces on the ASA is a far more secure solution. I'm assuming you are using subinterfaces because you don't have enough physical intefaces ? It doesn't really matter too much but bear in mind that with subinterfacesyou are actually spliting the bandwidth of the physical interface between mutiple vlans.

However as long as you are not getting any congestion issues then you should be fine,

Jon

New Member

Re: DMZ design help

Jon,

Thank you for the quick response. I'm confident in keeping the current design now since the amount of servers in the DMZ will be limited, thus bandwidth should  not be a problem. I appreciate your insight and help. Thanks again.

341
Views
0
Helpful
2
Replies
CreatePlease to create content