Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
228
Views
0
Helpful
2
Replies

Switch on the DMZ

apriore685
Level 1
Level 1

‎03-02-2004 08:36 AM - edited ‎03-09-2019 06:36 AM

Hello all

This may seem like a silly question but I am not sure if I need a switch in the DMZ with a seperate vlan or not.

If I was to move my web and e-mail servers over to a DMZ will I have to create a sub-interface on an inside router and than create a seperate vlan on the switch for the web and e-mail servers?

I have a customer that would like to create a DMZ and I want to be sure of the config before I go there.

Labels:
0 Helpful
2 Replies 2

mostiguy
Level 6
Level 6

‎03-02-2004 10:19 AM

possibly.

The pix can route between directly attached subnets, so you might not need to tweak the router (it will not need an interface on the dmz because the pix is likely routing to it), rather you might just need to create a vlan on the switch, assign a port to it that the pix DMZ interface plugs into, as well as any other ports for DMZ hosts.

0 Helpful

richardmcmahon
Level 1
Level 1
In response to mostiguy

‎03-02-2004 02:30 PM

It is not best practice to use the same switch on both inside and dmz networks. Even although there is VLAN segmentation it is still best to use two seperate physical devices to negate the risk of the switch being compromised. Your network should be

External Router

|

|

|

PIX--------DMZ

|

|

|

Inside Network.

The PIX will know where to send the traffic without any changes to your routers. If your pix only has two interfaces it is not possible to implement a true DMZ.

Hope this helps,

Richard

0 Helpful
Customers Also Viewed These Support Documents