https://community.cisco.com/t5/network-security/design-risk/m-p/1461681#M656536 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>ohassairi wrote:</P><P></P><P>when designing DMZ we usually put a dedicated L2 switch for connectivity between firewall interfaces and public servers...</P><P>and we create vlans in this switch according to DMZ..</P><P>what risk can be found if i create these L2 vlans in our collapsed distribution switch (i will not create SVI for these vlans)?</P></PRE><P></P><P>The risk is that a misconfiguration of the distribution switch can lead to the firewall being bypassed. There are also issues with things like vlan-hopping etc.&nbsp; It all comes down to how secure is it to rely purely on vlans to segregate traffic rather than physical switches.</P><P></P><P>Personally in a Data centre environment where you may be firewalling from your internal users i have no problems with using a chassis based switch to create the DMZs and if you are using something like the FWSM you end up doing this anyway. With an internet facing setup i don't have an issue with using one chassis for all DMZs but i still would feel uncomfortable using the same chassis for internal vlans as well. That is just my opinion though as i have seen designs where this is done.</P><P></P><P>If you do decide to do this you shoud follow the best practices for securing your switches ie. don't use vlan 1, if you do use a native vlan then make it a non-routable vlan with no ports allocated into it etc..&nbsp; If you haven't seen this paper before have a read as a lot of it applies to all Catalyst switches -</P><P></P><P><A href="http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml">http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml</A></P><P></P><P>Using separate switches will, in my opinion, always be more secure but that doesn't mean it is the only way to do it.</P><P></P><P>Jon</P></BODY></HTML> Tue, 08 Jun 2010 11:42:13 GMT Jon Marshall 2010-06-08T11:42:13Z https://community.cisco.com/t5/network-security/design-risk/m-p/1461680#M656465 <P>when designing DMZ we usually put a dedicated L2 switch for connectivity between firewall interfaces and public servers...</P><P>and we create vlans in this switch according to DMZ..</P><P>what risk can be found if i create these L2 vlans in our collapsed distribution switch (i will not create SVI for these vlans)?</P> Mon, 11 Mar 2019 17:56:02 GMT https://community.cisco.com/t5/network-security/design-risk/m-p/1461680#M656465 ohassairi 2019-03-11T17:56:02Z https://community.cisco.com/t5/network-security/design-risk/m-p/1461681#M656536 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>ohassairi wrote:</P><P></P><P>when designing DMZ we usually put a dedicated L2 switch for connectivity between firewall interfaces and public servers...</P><P>and we create vlans in this switch according to DMZ..</P><P>what risk can be found if i create these L2 vlans in our collapsed distribution switch (i will not create SVI for these vlans)?</P></PRE><P></P><P>The risk is that a misconfiguration of the distribution switch can lead to the firewall being bypassed. There are also issues with things like vlan-hopping etc.&nbsp; It all comes down to how secure is it to rely purely on vlans to segregate traffic rather than physical switches.</P><P></P><P>Personally in a Data centre environment where you may be firewalling from your internal users i have no problems with using a chassis based switch to create the DMZs and if you are using something like the FWSM you end up doing this anyway. With an internet facing setup i don't have an issue with using one chassis for all DMZs but i still would feel uncomfortable using the same chassis for internal vlans as well. That is just my opinion though as i have seen designs where this is done.</P><P></P><P>If you do decide to do this you shoud follow the best practices for securing your switches ie. don't use vlan 1, if you do use a native vlan then make it a non-routable vlan with no ports allocated into it etc..&nbsp; If you haven't seen this paper before have a read as a lot of it applies to all Catalyst switches -</P><P></P><P><A href="http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml">http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml</A></P><P></P><P>Using separate switches will, in my opinion, always be more secure but that doesn't mean it is the only way to do it.</P><P></P><P>Jon</P></BODY></HTML> Tue, 08 Jun 2010 11:42:13 GMT https://community.cisco.com/t5/network-security/design-risk/m-p/1461681#M656536 Jon Marshall 2010-06-08T11:42:13Z