Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLANs for DMZ and Outside Networks

Networking Newbie question:

I have a PIX 525 firewall that contains (3) interfaces: Inside, DMZ and Outside. We have problems on occasion with our ISP on the outside interface. It sometimes requires me to insert a hub in between the Outside of the PIX and the ISP so as to use Sniffer. My question concerns the security aspects of creating a VLAN for the outside and DMZ networks. This would allow me to simply assign my PC to the outside VLAN and then I could SPAN the ports.

Physically this would mean plugging the ISP into my Cat4006 along with the DMZ. As long as I have those ports assigned to the VLANs I create, and NOT trunking to them, is there a security risk in doing this?

The neet thing is that if this works I could trunk these VLANs to anywhere on the network. (should I ever to need to). Thus providing the ability to have externally visable web servers physically located anywhere in the building, but on the DMZ or the outside networks. What do you think?



New Member

Re: VLANs for DMZ and Outside Networks


I was reading recently about hopping vlans to exploit a network. I would avoid the issue. Here is a link that explains some of it.


New Member

Re: VLANs for DMZ and Outside Networks

If at all possible, I would avoid using your internal switch for external connectivity as well.

First of all, you would be compromising the job that your firewall provides. Although each VLAN is (by design) secure, you are relying on a piece of technology to provide a service that it was not necessarily designed for.

Also - keep in mind that information such as spanning tree and VTP information could get forwarded to your ISP.

You must take the view that the point that you trust stops at the external port on your firewall. Don't assume that the ISP itself would not be used as a point to launch an attack.

My recommendation would be to utilise a small switch, or (if your budget won't stretch to that), a hub. They'll provide the same functionality without compromising the services your firewall is providing. (of course, you would need additional cabling to carry the "external VLAN" from these external switches to anywhere else in your campus).

I hope this helps...


New Member

Re: VLANs for DMZ and Outside Networks

We use a Cat6513 with VLANs setup for the DMZ, a segment that contains the internet router & PIX, and several inside VLANs. As long as you have a three port PIX [which you do], plug one into your inside VLAN and one into your DMZ VLAN, and one into your VLAN with your router and as long as you can keep a logical layout of what ports are assigned to what VLAN, you ownt have any problems. You still have the security of your PIX and you have the expandability to anywhere in your building.


CreatePlease to create content