Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trunk 3550 to 3750 stack

We have a 3750 stack at our DR site.

There are:

2 x 24TS

1 X 48P

These switches are full and unorganized with outside, inside and DMZ interfaces spread out across the three.

We have several 3550 switches that were replaced with the POE version and just sitting doing nothing.

I would like to add a 3550 to organize and free up some of the powered ports for DR Testing (for phones).

I have several questions:

1. Isn't it poor security practice to have all of these ports (inside, outside, DMZ) on the same physical switch?

2. What would be the best way to add this switch?

Just add a trunk port to the 3550 and trunk it up to the 3750 stack?

3. Should the different "Zones" of inside, DMZ and outside ports be physically isolated?

There are numerous VLANs in the inside and DMZ interfaces.

8 REPLIES

Re: Trunk 3550 to 3750 stack

It would certainly be better to have separate switches for outside and DMZ, so it would be nice to split them. Your options may be a little tied on the number of ports you need in each. Could you add some of these "spare" 3550s for outside and DMZ?

If you could have 3550-1 outside, 3550-2 DMZ and even just the interbal VLAns were filling the 3750s, then the best way would be to set a trunk link from 3550-3 etc to the 3750s.

New Member

Re: Trunk 3550 to 3750 stack

Thank you so much for the reply.

Sometimes I think people get tired of hearing from me.

But to answer your question, I do have the 3550s to do that with, but they are 48 port switches and the "outside" LAN is only 6 interfaces, and for some reason I just hate to "waste" them on that.

I do have a 12 port Catalyst 2900 sitting on the shelf also.

So my questions:

1. What are your thoughts on using the 2900?

2. Once I have the outside and DMZ trunked to the 3750s, how do I improve the security over what it already is (all switches stacked)?

I mean is inter VLAN routing the culprit for vulnerabilities having it set up the way it is now?

Re: Trunk 3550 to 3750 stack

2900s are end of life. Using one now it needs to be treated as a consumable - any prblem, bin it.

If using separate switches for outside, and DMZ don't trunk them back to your stack.

One of the big drivers for physically separate switches is customer demand, but there have been issues with packets leaking from one VLAN to another (primarily across trunk links), and separate switches makes it less of a risk of inadvertantly plugging the live raw internet into your internal network.

New Member

Re: Trunk 3550 to 3750 stack

If no trunk,

How would I connect the DMZ and outside switches to the stack?

Just an uplink to a port?

New Member

Re: Trunk 3550 to 3750 stack

That would be one way. Depending on the IOS you could also do routing and then uplink.

You set the port to access mode and uplink to the switch the switch has its vlan and or two or 3. My outside switch and DMZ switches are all out of band managed. I have two vlans on them, one active, and one I call a black hole. All active ports are set to the active vlan, here possible I use port-security on them, and set it to shut down. The others are set to the black hole vlan, and shut down. Somewhat redundant I know, but it makes for a second level of defense if you forget to shut a port.

Don't forget to disallow logins via telnet, SSH, or HTTP/S, or ad access-lists and only allow connections via specified systems or networks, that does open a hole or two thorough.

Are you using access-list to limit access between the internet, and the DMZ to your internal network?

I would recommend a ASA, PIX etc... to pull this off

You could also trunk an then limit the vlans allowed on the trunk.

Several ways to slice this bread.

Re: Trunk 3550 to 3750 stack

Via the firewall. The point of separate switches for outside & DMZ is to separate them, If you trunk, you may as well just use one big switch.

New Member

Re: Trunk 3550 to 3750 stack

Thanks for the replys.

What about management for the switch on the DMZ and outside network?

How is that done in this type of setup?

Currenty that stack is set up and the switch is managed from a seperate vlan interface via the trunk.

So if I have the outside switch with just the outside devices, what is the recommended way to manage, download configs, currently that switch is managable via Ciscoworks.

Re: Trunk 3550 to 3750 stack

There are two main thoughts on the management of switches, particularly the outside one.

The first option is don't. This is something that is internet accessible. Turn off everything - telnet, SSH, SNMP, http, small services the lot. Don't even give it an IP address. That way it is more difficult for someone to hack it. Please note that I am reluctant to stick my neck out and say it can't be done

The other option is via the firewall. Ideally you need two more subnets - one for outside, one for DMZ, on separate interfaces on the firewall. You nail everything down - access lists on telnet, access lists on SNMP, DO NOT use the same passwords you use on internal equipment. Nail everything down on the firewall as well.

Paul.

234
Views
25
Helpful
8
Replies
CreatePlease login to create content