Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

merits of physical segmentation with dmz interface

Hi, I'm looking for some ideas to help decide if I want to push to host a DMZ on a physical interface other than the inside interface of the ASA.  The issue here is cost.  Right now we have a vmware environment hosted in a blade center.  What I wanted was to move a couple blades to a segment on the ASA's DMZ interface.  This would require 2 new blades and esx licenses.  The alternative is to build a trunk on the inside interface, create a subinterface, assign it a less trusted security level and have that subinterface be the logical DMZ interface.  This would allow the vmware guys to create vm guests using their existing blades and vmware environment.  I'm trying to come up with a list of pros and cons.  Apart from physically separating the traffic and part of the bandwidth consumed, I can't think of any substantial downfalls to the approach of hosting the dmz interface on the inside interface since I can modify the subinterface's trust level.  Does anyone have any input?

thank you


Cisco Employee

Re: merits of physical segmentation with dmz interface

I don't think there is a disadvantage to using a subinterface other than what you mentioned (physical segmentation).

In other words if the physical ASA interface fails you will both logical interfaces.

Other than that I think it will be more or less the same as long as you configure it properly.


CreatePlease to create content