I'm after some feedback on the following configuration.
On an ASA 5520 we have 3 different zones each on separate interfaces and different VLANs. If these were all connected to the same 6504 switch along with the servers would this present a security vulnerability? Would it be better to have each zone connected to an individual switch for security purposes or would an access-list on the 6504 suffice?
Best practise dictates that you have each zone on a separate switch, mainly because if the switch was ever compromised (either deliberately or accidentally) then you could simply bypass the firewall altogether.
That said, if you use vlans a lot then you'll be trunking to a switch...
Basically, it's a decision for the security manager (assuming you don't have this explicitly defined in your security policy) and comes down to cost vs. risk vs. practicality. Just make sure you follow all Cisco's published security best practise on the switches!
To add to Andrew's post (he is correct btw), Historically there have been a few "VLAN hopping" exploits that allow a user to jump from one VLAN to another. I know of no current methods as long as you follow best practices, particularly enabling port security and limiting the number of MAC addresses per port. Also, all of the exploits I have known of relied on access to a device on the switch, so an attacker could compromise a web server and then use it to hop to another VLAN.
For these reasons, I always recommend separate switches for each security zone, but I often advise that it is not cost-effective for my smaller clients. I trust that a properly secured switch is not currently a risk, and if you use some host protection such as CSA on at-risk servers, a successful attack would be very unlikely.
As a bare minimum, I like to have 1 external switch if necessary, an inside switch (may be your existing core or other internal switch), and one or more for DMZs. The DMZs usually have multiple VLANs with a trunk to the firewall to allow for more security zones than allowed by the physical ports.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :