I need to add a logical interface to a firewall DMZ port.
The switch that connects the Firewall DMZ interfaces and DMZ servers has several layer 2 VLANs connecting the Different DMZs their interfaces.
It also connects the Outside firewall interfaces and routers.
It has one layer three VLAN interface that connects this switch to the management VLAN subnet also.
This switch also has VTP configured.
I have several questions:
1. If I create a trunk port for the physical and logical interfaces for my DMZ, would I want to have the Physical interface VLAN be the default VLAN and tag the logical interface VLAN?
Does it matter which VLAN I make the default VLAN in the trunk?
2. Is it considered ok practive to have the Management VLAN (inside network)connected to this switch and the rest of the VLANs also ?
(This switch also has the outside interfaces of the firewalls and edge router interfaces, all layer 2 VLAN).
3. With VTP configured, will my new VLAN (logical interface) propogate to all other switches im the network and is there any potential danger in this?
1) You actually probably want to tag both vlans. The native vlan should be a vlan that has no active ports in it and should not have a routable interface either on the firewall or any other device.
2) Yes you can have the management interface connect to the switch but see below for more details on this.
3) If the switch is a VTP server it will propogate the vlan information to the rest of your switches assuming that your switches are vtp clients.
A further point. Some people argue that with firewalls you shoud not use vlans on your switches but separate switches per DMZ etc. Obviously there are cost implications to take into account and i see no problem with collapsing all your DMZ's on the same switch.
Where i would be a bit concerned is havng the outside interface and router on the same switch. I generally think it's better practice to have separate switch fof the outside at least. And in an ideal world it's better to have a separate switch for your internal vlans as well.
It does depends on what is on the outside of your firewall. If it just your WAN then it is not so bad but if it is an internet connection you need to be really careful on your vlan config.
Thanks for the reply jon,
A couple more questions:
1. Suppose I have configured the trunk on the switch to uplink the two vlans for the firewall interface (physical and logical).
Is the native VLAN that is already configured on the switch, the native VLAN for that trunk also?
2. The switch would not let me allow only the two VLANs on the trunk, I had to allow all of them to trunk, why is that?
3. It seems that the outside Interface on the firewall and the router on the same switch is the only way to get them in the same LAN, how else would I do it?
4. can you explain the dangers in your last point?
1) The native vlan needs to be set on the trunk link itself. What type of switch do you have and is it running IOS or CatOS ?.
Assuming IOS (if not let me know) you need to type on the trunk port
switchport trunk native vlan "vlan number"
2) You should be able to restrict the vlans on your trunk eg.
switchport trunk allowed vlan "vlan id".
What happens when you try this command ?
3) Not clear what you mean here. Presumably by the same LAN you mean the same LAN on the outside ?
You can have a separate switch which is only used to connect the outside interface of the pix and the inside interface of the router.
4) i) Misconfiguration is a big one. If you have all your vlans on the same switch a slight mistake in config could mean you bypass the firewall.
ii) Vlans are not actually a security feature. There are certain vlan attacks that can enable you to jump from one vlan to another without going via the L3 interface.
In general having all the vlans ie the one outside the firewall, the DMZ's and the inside network on the same switch is possible but in my opinion too risky.
Thanks again jon,
On the Native VLAN, couldn't I set the native VLAN (theoretically) to be any VLAN that shows up in the switch VLAN database?
By using one that does not have any active ports in it, you are thinking security correct?
What is happening on the Native VLAN that you suggested not to have either subinterface that will be passing server traffic?
When I try to set the allowed VLANs, I get an error something like:
"Cannot restrict, must use these VLANs" with a list of the ones needed, I set it to allow all and I could create the trunk.
My thinking on the VLAN was the same that it was not safe that have them all on one switch.
At the moment there are the outside interfaces and the DMZ interfaces on the same switch, along with the Management subnet, which is an internal subnet.
The management one is the one that is trouble I am thinking.
Yes, you can set the native vlan to be any vlan that is in the switch database. But it is recommneded to have a native in which there is not user traffic exists preferrably a dummy vlan.Yes as mentioned by Jon, it is about the layer 2 security.
As suggested that the native vlan shouldnt be the one where there is any active user port, that's suggested by referring that either of the sub-interface shouldnt not use that native vlan where the server traffic exists.
Please find below a link on Cisco's vlan security white paper:
For a trunk there will be a "default" vlan which is the native vlan of the trunk. THis vlan is the one in which packets are not tagged with a vlan ID.
As i say we use a non-routable vlan which has no ports in it ie. at work we use vlan 999. If you leave the defaults the native vlan on a trunk will be vlan 1. Idealy you don't want to use vlan 1 as the native vlan.
It's really down to best pratice. Your trunk will work fine if you accept the default.
Does this make sense ?
Yes jon, it makes sense as far as which one to use,
But why do I need a native vlan?
Can you configure a trunk without a native VALN?
On an 802.1q trunk there is always a native vlan ie. the vlan for which packets are not tagged with a vlan ID. It's there for backwards compability t allow communication with old 802.3 ports which don't understand vlan tagging.
So when you configure an 802.1q trunk there will be a native vlan. If you don't configure it explicitly it will be vlan 1.
Sorry jon, I appreciate your reply.
I just read that somewhere else and it hit me why you were going there.
Thanks for the help.