Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Switch on the DMZ

Hello all

This may seem like a silly question but I am not sure if I need a switch in the DMZ with a seperate vlan or not.

If I was to move my web and e-mail servers over to a DMZ will I have to create a sub-interface on an inside router and than create a seperate vlan on the switch for the web and e-mail servers?

I have a customer that would like to create a DMZ and I want to be sure of the config before I go there.

  • Other Security Subjects
2 REPLIES
Silver

Re: Switch on the DMZ

possibly.

The pix can route between directly attached subnets, so you might not need to tweak the router (it will not need an interface on the dmz because the pix is likely routing to it), rather you might just need to create a vlan on the switch, assign a port to it that the pix DMZ interface plugs into, as well as any other ports for DMZ hosts.

New Member

Re: Switch on the DMZ

It is not best practice to use the same switch on both inside and dmz networks. Even although there is VLAN segmentation it is still best to use two seperate physical devices to negate the risk of the switch being compromised. Your network should be

External Router

|

|

|

PIX--------DMZ

|

|

|

Inside Network.

The PIX will know where to send the traffic without any changes to your routers. If your pix only has two interfaces it is not possible to implement a true DMZ.

Hope this helps,

Richard

101
Views
0
Helpful
2
Replies
This widget could not be displayed.