This is a topic that has come up for discussion within our team a couple of times during the last few months. I wondered what other people's thoughts were on this subject - whether to use seperate physical hardware or VLANs for the creation and provision of DMZ networks?
I am wondering if this is a matter of 'upbringing'. For example, I started my career in an environment where VLANs were used extensively for isolation of numerous networks of differing security levels so I am quite comfortable with using VLANs for this type of L2 isolation. However, other colleagues are much more comfortable using seperate physical hardware in such situations.
If you ask a security engineer they will say to use separate switches. Ask the person paying for them and they would say use VLAN's. I look at two things; experience of the people who support it (e.g. could they mis-configure and have the DMZ vlan all over the place and open to hosts they shouldn't?) and is a DMZ host located somewhere where a cable won't reach? I have run into places that have a host on the other side campus and having the DMZ on VLANs saved us some work and the customer money.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...