Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Questions

Hi Guys

couple of questions pls

1)Why we dedicate switch for the outside

2) why we dedicate switch for the DMZ

Pls am looking for  explanation

5 REPLIES
Hall of Fame Super Blue

Re: Questions

alsayed@litani.gov.lb

Hi Guys

couple of questions pls

1)Why we dedicate switch for the outside

2) why we dedicate switch for the DMZ

Pls am looking for  explanation

Ali

You don't have to dedicate switches ie. you can run the outside/dmz/inside on the same switch if you want but physical separation is always better. If you run them on the same switch then you are relying on vlans to keep everything separate and one misconfiguration or bug could allow traffic to bypass your firewall.

Having said that generally speaking i would be comfortable with having the DMZ and inside on the same switch as long as all security measure have been applied to the switch eg. don't use vlan 1 etc.. but i would still want a separate switch for the outside. But if i had the budget/switches i would always go with separate switches for an internet facing setup.

For a data centre setup where you are firewalling your servers from your internal users then you do not have to be so strict and indeed if you are using the FWSM in a 6500 chassis you end up with your outside/dmzs/inside on the same 6500 chassis anyway.

Jon

Re: Questions

Hi Guys

couple of questions pls

1)Why we dedicate switch for the outside

2) why we dedicate switch for the DMZ

Pls am looking for  explanation

As Suggested by Jon we never dedicate switches for Outside or DMZ,we can achive the same task with single switch also.But as network design and future capacity planning with bandwidth and application usage with redundacny in mind designers used to have separate switches for each segments like Outside or DMZ.

Switches are dedicated with reference with server capacity and traffic flowing in and out from servers in network.So basiscally to have redundancy and to overcome single point of failure to have high performance we used to have separet switches with separet segments.

Hope to help !!

Ganesh.H

Hall of Fame Super Blue

Re: Questions

Ganesh

As Suggested by Jon we never dedicate switches for Outside or DMZ

this isn't actually what i said. I said that you can use the same switch for outside and DMZ and inside but that it was less secure than using separate switches. For a DC environment maybe more acceptable but for an internet facing setup i would still recommend at least a separate switch for the outside and if you have it a separate switch(es) for DMZ.

Jon

Re: Questions

Ganesh

As Suggested by Jon we never dedicate switches for Outside or DMZ

this isn't actually what i said. I said that you can use the same switch for outside and DMZ and inside but that it was less secure than using separate switches. For a DC environment maybe more acceptable but for an internet facing setup i would still recommend at least a separate switch for the outside and if you have it a separate switch(es) for DMZ.

Jon

Jon,

It was my typo error actually we can use the same switch which you have already stated in your thread ....

Ganesh.H

New Member

Re: Questions

thanks a lot guys

by the way jon, congratultion for ur new gold start beside ur name

Thanks

197
Views
20
Helpful
5
Replies