Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Define security perimeter with VLAN technology versus separate switches

I have two PIX 515E in failover.

I want to install these pix 515E with one DMZ . So i must define a DMZ, a inside and outside network segment.

1/ To define these segment i use VLAN and trunk port on catalyst 2950T

2/ I use one switch for DMZ, one switch for Outside segment and one switch for inside segment.

I want to know what is the better solution ?

3 REPLIES
Silver

Re: Define security perimeter with VLAN technology versus separa

Physical separation is the absolute best method. There are some problems with VLANs,tagging, and the ability to "jump" between VLANs, but with proper design, you can eliminate the vast majority of the issues. Its really up to you to decide if a properly setup vlan architecture meets your needs, or if going with separate physical switches is necessary

New Member

Re: Define security perimeter with VLAN technology versus separa

Thank you for your response.

I ask this question in order to convainc one of my customer.

New Member

Re: Define security perimeter with VLAN technology versus separa

Hi,

No 2 is the only solution!

If someone captures your devices in DMZ (our outside network) , he will be able to do layer 2 attacks against your switching environment. In the case of being successfull there would be no firewall between DMZ devices and inside LAN.

Is it what you wanted to do? Don't think so.

Best choice is:

To define private VLANs in DMZ. So all devices can communicate to PIX and the can't between themselves.

Hope that helps

Markus

265
Views
0
Helpful
3
Replies
CreatePlease to create content