Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ design question

Do others separate Server hardware in the DMZ from the inside? We use a separate Internet router, separate DMZ servers. But do we allow DMZ servers to share internal HW.

Example A: Blade chassis with servers (WEB) running on VLANS in the DMZ and other servers (App & DB) running on VLANS in the internal network / data center? But all in one chassis.

Example B: Dedicated DMZ Server with SAN disk space on the inside SAN that supports the entire inside data center?

Has anyone come across papers / best practices or policy about this type of HW mixing?

Cisco Employee

Re: DMZ design question


Off late, I have seen a lot of implementations using VLAN for separating the zones and using the same switch. As far as you have tight control to the the device, strict change control process, auditing, Best Practices, up to date software updates on Security Advisories, etc, you should be fine using VLANs. Also, one important factor that is going to drive your decision is the companies "Security Policy".

With that said, below are some white papers that you might find useful.

VLAN Security White Paper

Data Center Architecture Overview

Also, check out the the Data Center Sectiion of "Cisco Validated Design" for some good information.



*Pls rate if it helps*