It would certainly be better to have separate switches for outside and DMZ, so it would be nice to split them. Your options may be a little tied on the number of ports you need in each. Could you add some of these "spare" 3550s for outside and DMZ?
If you could have 3550-1 outside, 3550-2 DMZ and even just the interbal VLAns were filling the 3750s, then the best way would be to set a trunk link from 3550-3 etc to the 3750s.
2900s are end of life. Using one now it needs to be treated as a consumable - any prblem, bin it.
If using separate switches for outside, and DMZ don't trunk them back to your stack.
One of the big drivers for physically separate switches is customer demand, but there have been issues with packets leaking from one VLAN to another (primarily across trunk links), and separate switches makes it less of a risk of inadvertantly plugging the live raw internet into your internal network.
That would be one way. Depending on the IOS you could also do routing and then uplink.
You set the port to access mode and uplink to the switch the switch has its vlan and or two or 3. My outside switch and DMZ switches are all out of band managed. I have two vlans on them, one active, and one I call a black hole. All active ports are set to the active vlan, here possible I use port-security on them, and set it to shut down. The others are set to the black hole vlan, and shut down. Somewhat redundant I know, but it makes for a second level of defense if you forget to shut a port.
Don't forget to disallow logins via telnet, SSH, or HTTP/S, or ad access-lists and only allow connections via specified systems or networks, that does open a hole or two thorough.
Are you using access-list to limit access between the internet, and the DMZ to your internal network?
I would recommend a ASA, PIX etc... to pull this off
You could also trunk an then limit the vlans allowed on the trunk.
There are two main thoughts on the management of switches, particularly the outside one.
The first option is don't. This is something that is internet accessible. Turn off everything - telnet, SSH, SNMP, http, small services the lot. Don't even give it an IP address. That way it is more difficult for someone to hack it. Please note that I am reluctant to stick my neck out and say it can't be done
The other option is via the firewall. Ideally you need two more subnets - one for outside, one for DMZ, on separate interfaces on the firewall. You nail everything down - access lists on telnet, access lists on SNMP, DO NOT use the same passwords you use on internal equipment. Nail everything down on the firewall as well.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...