Thank you so much for the reply.

Sometimes I think people get tired of hearing from me.

But to answer your question, I do have the 3550s to do that with, but they are 48 port switches and the "outside" LAN is only 6 interfaces, and for some reason I just hate to "waste" them on that.

I do have a 12 port Catalyst 2900 sitting on the shelf also.

So my questions:

1. What are your thoughts on using the 2900?

2. Once I have the outside and DMZ trunked to the 3750s, how do I improve the security over what it already is (all switches stacked)?

I mean is inter VLAN routing the culprit for vulnerabilities having it set up the way it is now?

2900s are end of life. Using one now it needs to be treated as a consumable - any prblem, bin it.

If using separate switches for outside, and DMZ don't trunk them back to your stack.

One of the big drivers for physically separate switches is customer demand, but there have been issues with packets leaking from one VLAN to another (primarily across trunk links), and separate switches makes it less of a risk of inadvertantly plugging the live raw internet into your internal network.

If no trunk,

How would I connect the DMZ and outside switches to the stack?

Just an uplink to a port?

That would be one way. Depending on the IOS you could also do routing and then uplink.

You set the port to access mode and uplink to the switch the switch has its vlan and or two or 3. My outside switch and DMZ switches are all out of band managed. I have two vlans on them, one active, and one I call a black hole. All active ports are set to the active vlan, here possible I use port-security on them, and set it to shut down. The others are set to the black hole vlan, and shut down. Somewhat redundant I know, but it makes for a second level of defense if you forget to shut a port.

Don't forget to disallow logins via telnet, SSH, or HTTP/S, or ad access-lists and only allow connections via specified systems or networks, that does open a hole or two thorough.

Are you using access-list to limit access between the internet, and the DMZ to your internal network?

I would recommend a ASA, PIX etc... to pull this off

You could also trunk an then limit the vlans allowed on the trunk.

Several ways to slice this bread.

Via the firewall. The point of separate switches for outside & DMZ is to separate them, If you trunk, you may as well just use one big switch.

Thanks for the replys.

What about management for the switch on the DMZ and outside network?

How is that done in this type of setup?

Currenty that stack is set up and the switch is managed from a seperate vlan interface via the trunk.

So if I have the outside switch with just the outside devices, what is the recommended way to manage, download configs, currently that switch is managable via Ciscoworks.

There are two main thoughts on the management of switches, particularly the outside one.

The first option is don't. This is something that is internet accessible. Turn off everything - telnet, SSH, SNMP, http, small services the lot. Don't even give it an IP address. That way it is more difficult for someone to hack it. Please note that I am reluctant to stick my neck out and say it can't be done

The other option is via the firewall. Ideally you need two more subnets - one for outside, one for DMZ, on separate interfaces on the firewall. You nail everything down - access lists on telnet, access lists on SNMP, DO NOT use the same passwords you use on internal equipment. Nail everything down on the firewall as well.

Paul.