Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Inside and DMZ segments on the same physical switch !!!

Hi NetPros ..

From the security point of view what is your opinion in regards to the implementation of Vlans (DMZ and Inside) using the Firewall for intervlan routing and controll by using subinterfaces or logical interfaces. ( trunking 1 firewall's interface with layer 2 core switch )

I am trying to build a case for one customer and would appreciate your opinion whether pro or against it ..

your comments are much appreaciated !!!


Re: Inside and DMZ segments on the same physical switch !!!

Hi Fernando,

I have seen some implementations in which vlans are used on one single core/distribution switch to separate the zones. The firewall will do the routing/filtering for those vlans.

Deployments like this are Generally done to reduce the number of L2 switches required to separate the zones.

Instead of having separate L2 switches to cater for the separate security zones, one high end L2 switch will be deployed, in which vlans segmentation will be done to separate the security zones.

In this scenario,We should ensure that switch used for this purpose is pure L2.

If it is capable of doing routing, it is highly possible that some one will configure L3 interfaces on this device which will bypass the firewall for inter zone communication.

Also in this case the core l2 switch becomes a single point of failure( no matter even if you bundle it with redundant power supply.etc)

As This one L2 switch is catering the l2 functionality of all zones, a problem with this switch will bring down the whole network.

It would be ideal to having separate L2 switches for different zones.

As far as i know these are the some of the important pros and cons.


Re: Inside and DMZ segments on the same physical switch !!!

Thanks VJ,

Agree that it would be ideal to use separate switches if possible .. I am just thinking about a situation when you need to create several DMZ and don't have enought available physical interfaces on the firewall to create those separate physical zones.

I am just trying to build my case and am after as much information as possible in regards to the security risk involved in using L2 switch(or stack of switches) compare to use separate physical segments ..

Appreciate your comments ...

Hall of Fame Super Blue

Re: Inside and DMZ segments on the same physical switch !!!

Hi Fernando

In addition to what has already been pointed out.

You can obviously use a dual switch setup which mitigates the single point of failure scenario.

It is more flexible in that you can provision a new DMZ only through configuration rather than having to physically install a separate switch and connect to a separate interface on firewall.

Major con is that there is far more room for error - allocate a port into the wrong vlan and you could potentially introduce an insecurity.

There is also the issue of vlan hopping, at the very least vlan 1 should never be used even for the management of the switches themselves.

I think it comes down to the security requirements of the customer. With an all in one switch i would argue there is more room for a mistake but at the same time it gives you more flexibility.

Worth mentioning as well, depending on the other requirements sometimes a 6500 with load balancing/SSL modules + IDS + FWSM can be a viable design.


Re: Inside and DMZ segments on the same physical switch !!!

Cheers .. appreciate your comments in regards to security risks ... that is what I am interested in finding out.

CreatePlease to create content