cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
362
Views
0
Helpful
3
Replies

Multiple DMZ’s on one chasse via VLANs?

tgroth
Level 1
Level 1

Have a PIX 520 running 6.0(1) with failover and 5 DMZ's (in, out and three others) and all our DMZ's are Cisco fast hub 412. I have recently been put in charge of managing the PIX and am learning on the fly. I have removed many static’s, conduits and other config lines that were not needed and would like to up grade to 6.2(2). Before I upgrade there is still some config issues I need to work out. A question I have is about the fast hubs used for the DMZ’s. We currently are getting millions of collisions along with other interface errors and I assume going from fast hubs to switches would drastically help the performance or the DMZ’s? It was suggested to me to use one switch for all DMZ’s and configure VLANs on the switch to keep the traffic separated. Is this a good and secure approach? What is a DMZ was compromised…could the switch VLANs be compromised also? I would think having separate switches for separate DMZ would be the most secure? What switches would you recommend or would you recommend sticking with the fast hubs? Also it would be nice to pull unitization and other static’s off these DMZ switches…any way to do this secure? Just to give you some idea of the traffic going through our PIX at peak times we have a total of 7 MB in and out traffic, mostly VPN. Any suggestions or thoughts would be appreciated.

2 Accepted Solutions

Accepted Solutions

yizhar
Level 1
Level 1

HI.

> We currently are getting millions of collisions ..

These could be related to mismatched speed and duplex settings between the pix and the hub. Auto sensing does not always work as expected.

If applicable, try to manually set the pix interface to the correct speed and duplex mode.

Replacing the hubs to managed switch can also help in this aspect, in addition to the other advantages of a switch.

> I would think having separate switches for separate DMZ would be the most secure?

I would also use separate switches, for simplicity.

I think that VLAN will add another un-needed point of failure and complexity.

> Also it would be nice to pull unitization and other static’s off these DMZ .

You can enable SNMP at the pix and use MRTG to get some traffic info on interfaces - however this gives you only the total traffic per interface and no details about the traffic.

A syslog analyzer program that works with the pix can give much more details, at the costs of additional traffic (syslog traffic itself), overhead at the pix, and additional hardware and software costs.

Yizhar

View solution in original post

As a side note, this quarter's Packet Magazine has an interresting article called, "Layer 2 The weakest Link". It talks briefly about vlan security and common attacks that try to bypass layer three barriers between VLANs on a switch.

If you don't have packet magazine you can find it on the Ciscopress website.

http://cisco.com/en/US/about/ac123/ac114/ac173/ac222/about_cisco_packet_feature09186a0080142deb.html

View solution in original post

3 Replies 3

yizhar
Level 1
Level 1

HI.

> We currently are getting millions of collisions ..

These could be related to mismatched speed and duplex settings between the pix and the hub. Auto sensing does not always work as expected.

If applicable, try to manually set the pix interface to the correct speed and duplex mode.

Replacing the hubs to managed switch can also help in this aspect, in addition to the other advantages of a switch.

> I would think having separate switches for separate DMZ would be the most secure?

I would also use separate switches, for simplicity.

I think that VLAN will add another un-needed point of failure and complexity.

> Also it would be nice to pull unitization and other static’s off these DMZ .

You can enable SNMP at the pix and use MRTG to get some traffic info on interfaces - however this gives you only the total traffic per interface and no details about the traffic.

A syslog analyzer program that works with the pix can give much more details, at the costs of additional traffic (syslog traffic itself), overhead at the pix, and additional hardware and software costs.

Yizhar

As a side note, this quarter's Packet Magazine has an interresting article called, "Layer 2 The weakest Link". It talks briefly about vlan security and common attacks that try to bypass layer three barriers between VLANs on a switch.

If you don't have packet magazine you can find it on the Ciscopress website.

http://cisco.com/en/US/about/ac123/ac114/ac173/ac222/about_cisco_packet_feature09186a0080142deb.html

Thank you for the advice...we already replaced one fast hub with a switch and have 2950's on order to replace the other fast hubs. The one DMZ that was swapped to a switch had seen a great performance increase and in now running clean with no collusions or late collisions. Also we forced every port on the PIX to the appropriate speed and duplex, not sure if this made any difference but it is good practice. Thanks again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: