Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLAN security

In my data center, I have a need for multiple logical LANs - one to connect the routers on the private side of the firewall, one to connect the routers on the DMZ side of the firewall, one to connect the active and standby firewalls, etc. I have been using a Cat4000 segmented into VLANs instead of multiple physical switches. A potential concern is that DMZ and private side VLANs (public side is completely isolated) are coexisting on the same device, and could somehow be bridged. Is this concern valid? Could the VLAN configuration be enhanced to alleviate the concerns or is multiple devices the only way? I am about to migrate from the Cat4000 to a 6509 and want to set it up correctly the first time.



Re: VLAN security

Hi Frined,

Ofcourse you can do that. The main purpose of VLAN is to have logical seperation and behave like independent switch.

The only way they can talk is via inter vlan routing which can be done on firewall in your case. You can have static routes placed on your firewall to talk to all the segment which you will be doing via creating vlan on a single switch.

When you shift from cat4k switch ot cat6k switch make sure you do not create layer 3 interface for vlans because doing so they will start talking to each other without hitting a firewall.




Re: VLAN security

The VLANs can be bridged, but the concern is not really valid, since it cannot happen without configuration intervention. In your case having more VLANs on one device would yield same results as having more devices with one VLAN each.

CreatePlease login to create content