https://community.cisco.com/t5/network-security/dmz-best-practice-question/m-p/1373563#M722685 <P>I have a general question about a DMZ. Currently i have an ASA5520 with one physical interface dedicated to a DMZ network. On that interface i have subinterfaces for multiple DMZ Vlans. Is it better to have seperate VLANs for each DMZ server with their own set of ACLs or just put all of the DMZ servers into one DMZ Vlan? The reason i ask is because i am using /30 scopes for each DMZ server and now i am about to implement HA on 2 5520s and they require standby IPs...i'll have to rework their scopes and IPs.</P> Mon, 11 Mar 2019 17:07:49 GMT cowetacoit 2019-03-11T17:07:49Z https://community.cisco.com/t5/network-security/dmz-best-practice-question/m-p/1373563#M722685 <P>I have a general question about a DMZ. Currently i have an ASA5520 with one physical interface dedicated to a DMZ network. On that interface i have subinterfaces for multiple DMZ Vlans. Is it better to have seperate VLANs for each DMZ server with their own set of ACLs or just put all of the DMZ servers into one DMZ Vlan? The reason i ask is because i am using /30 scopes for each DMZ server and now i am about to implement HA on 2 5520s and they require standby IPs...i'll have to rework their scopes and IPs.</P> Mon, 11 Mar 2019 17:07:49 GMT https://community.cisco.com/t5/network-security/dmz-best-practice-question/m-p/1373563#M722685 cowetacoit 2019-03-11T17:07:49Z https://community.cisco.com/t5/network-security/dmz-best-practice-question/m-p/1373564#M722696 <HTML><HEAD></HEAD><BODY><P>I've never heard of each server having their own DMZ. That would get expensive awfully quick! I can see the reasoning, but I have never seen it implemented. For me it would come down to whether or not the servers can trust each other (in a security sense) if they we're all in the same VLAN. If so, put them all in one VLAN. If not, keep breaking them out. We typically create a new one for each line of business or purpose.</P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 11 Feb 2010 15:00:54 GMT https://community.cisco.com/t5/network-security/dmz-best-practice-question/m-p/1373564#M722696 Collin Clark 2010-02-11T15:00:54Z https://community.cisco.com/t5/network-security/dmz-best-practice-question/m-p/1373565#M722709 <HTML><HEAD></HEAD><BODY><P>Since i'm using subinterfaces on the one ASA port and just trunking vlans into a seperate network there really isn't any cost impact. i guess it can go both ways. We have a mixture of VMs and Physical servers. I might just do two DMZs, one for physicals and one for VMs. IMO it wouold be more secure because each server would have their own unique ACLs. thanks for the advice!</P></BODY></HTML> Thu, 11 Feb 2010 15:06:59 GMT https://community.cisco.com/t5/network-security/dmz-best-practice-question/m-p/1373565#M722709 cowetacoit 2010-02-11T15:06:59Z https://community.cisco.com/t5/network-security/dmz-best-practice-question/m-p/1373566#M722742 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>cowetacoit wrote:</P><P></P><P>I have a general question about a DMZ. Currently i have an ASA5520 with one physical interface dedicated to a DMZ network. On that interface i have subinterfaces for multiple DMZ Vlans. Is it better to have seperate VLANs for each DMZ server with their own set of ACLs or just put all of the DMZ servers into one DMZ Vlan? The reason i ask is because i am using /30 scopes for each DMZ server and now i am about to implement HA on 2 5520s and they require standby IPs...i'll have to rework their scopes and IPs.</P></PRE><P></P><P>Agree with Collin, never seen it done and even without cost you can only split up an interface so much before you run out of bandwidth per vlan on that interface.</P><P></P><P>Have you considered looking into private vlans which would allow you to have just one or two dmz's but within eacl dmz you could control which server can communicate with which other servers ?</P><P></P><P>Jon</P></BODY></HTML> Thu, 11 Feb 2010 21:33:43 GMT https://community.cisco.com/t5/network-security/dmz-best-practice-question/m-p/1373566#M722742 Jon Marshall 2010-02-11T21:33:43Z