Cisco Support Community
Community Member

VLAN security

In my data center, I have a need for multiple logical LANs - one to connect the routers on the private side of the firewall, one to connect the routers on the DMZ side of the firewall, one to connect the active and standby firewalls, etc. I have been using a Cat4000 segmented into VLANs instead of multiple physical switches. A potential concern is that DMZ and private side VLANs (public side is completely isolated) are coexisting on the same device, and could somehow be bridged. Is this concern valid? Could the VLAN configuration be enhanced to alleviate the concerns or is multiple devices the only way? I am about to migrate from the Cat4000 to a 6509 and want to set it up correctly the first time.




Re: VLAN security


Your concerns are valid. When haveing a DMZ and other VLANS all on the same device your most likely security issues is going to be a miss configuration.

A perfect example is setting your switchports to the appropriate DMZ vlan and for some reason one of you ports in that vlan is also setup to trunk. At this point a device plugged into that port would only have to tag there traffic with other vlans ID and poof they have bypassed your firewall.

So to avoid issues like this and other possible misconfigurations I make it a rule of Thumb to make sure that DMZ's and Internal VLANs never reside on the same switching infrastructure.

Hope this helps


CreatePlease to create content