We currently have two data centres, in each of which, a pair of Cat6k switches are located connected in a resilient, meshed architecture. Each of the switches has dual supervisors, dual power supplies and are all connected via diversely routed private fibres.
We are to introduce a high-availability Internet infrastructure design, where two new firewalls, one at each data centre, are to be added. We are planning to use VLANs between the Cat6k switches to provide the firewall DMZ connectivity between the data centres.
Initially three DMZs are required (a firewall control channel and two DMZs containing servers). Clearly, providing completely separate DMZs, with separate switches, fibres (etc) would be expensive and would introduce single points of failure. However, we are using a separate pair of switches for the external connectivity from the ISP.
What are the risks of using VLANs for DMZs in this type of architecture? The DMZ VLANs would obviously not be defined on the MSFCs within the Cat6k switches, and is this similar to introducing a FWSM card into the switch, where LAN segregation would be achieved using VLANs.
The only likely issue I can see it is the potential of mis-patching or placing a server in the wrong VLAN, but change control procedures should mitigate against this type of error.
On top of my mind, I am not seeing any issues here. You will have to be carefully planning the VLANs for your DMZ and for the internal network. But I have one question. If a port on the DMZ is compromised, and hence the switch, the internal network will also be compromised? I am not sure if this is correct or valid, but just a thought. Can anyone see any other problem here. Is my question valid?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...