In my data center, I have a need for multiple logical LANs - one to connect the routers on the private side of the firewall, one to connect the routers on the DMZ side of the firewall, one to connect the active and standby firewalls, etc. I have been using a Cat4000 segmented into VLANs instead of multiple physical switches. A potential concern is that DMZ and private side VLANs (public side is completely isolated) are coexisting on the same device, and could somehow be bridged. Is this concern valid? Could the VLAN configuration be enhanced to alleviate the concerns or is multiple devices the only way? I am about to migrate from the Cat4000 to a 6509 and want to set it up correctly the first time.
Your concerns are valid. When haveing a DMZ and other VLANS all on the same device your most likely security issues is going to be a miss configuration.
A perfect example is setting your switchports to the appropriate DMZ vlan and for some reason one of you ports in that vlan is also setup to trunk. At this point a device plugged into that port would only have to tag there traffic with other vlans ID and poof they have bypassed your firewall.
So to avoid issues like this and other possible misconfigurations I make it a rule of Thumb to make sure that DMZ's and Internal VLANs never reside on the same switching infrastructure.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...