Hi 

Thanks for the answer.

I have suggest for the diffrenet switch but mangemet is asking the drawbacks could u please suggest.

One ot them we faced is dos attacks.

there was dos attack on vmware server the result was entire network was down.

Please suggets some drawbacks

Hi,

If your servers have been targeted by DOS attack and the cause of network outage has simply been the amount of traffic eating your bandwith I dont think changing the mentioned network setup will change it for any better or that the current setup is to blame for it.

Or was there some other problem than the attack eating up your bandwith? Was the server just unsable and was also critical for your LAN users connections?

My suggestions in the earlier post were purely from my own perspective of keeping the network simple.

I would imagine if someone audits your network and tells you that your setups is somehow wrong that they would be the one to tell you whats specifically is wrong and are the drawbacks of the setup.

- Jouni

Hi Prashant,

What audit experts said was correct. In general, you place the servers in DMZ to provide secure access from Internet and at the same time to secure internal network/servers accessing from internet. In your scenario you have a direct connection from DMZ to Inside switch (bypassing your firewall and defeats the fw purpose). So, there is a chance if one of your DMZ server compromises, it can easily inpact internal servers/infrastructure. I suggest you replace the DMZ sw with reqd port density. Also makes sure that all your servers patched upto date- as its not always 'network' related issues.

hth

MS

Thanks  a lot. Would suggest the same.

Hi,

Either I have missunderstood something or completely missed something

But it seems to me that the DMZ Vlan is taken from all the way from Firewall -> L2 switch -> L3 switch -> Server. If we presume that the L3 gateway for the servers is the firewall the DMZ servers will not be bypassing the firewall when it comes to the traffic from the Vlan55 to any other Vlan on the network.

Naturally if you do have some L3 point for the Vlan55 on the L3 switch its a totally different matter. But if the Vlan55 is just a L2 segment that ends at the firewall every server is using the firewall to connect to anything else outside their network.

Though the fact still remains that the setup isnt ideal if you need to start making connections between devices because you are out of switch ports.

And if there is some sort of DOS attack or the server starts generating traffic that eats up all your Internet bandwith you might still end up loosing all connectivity no matter where the servers are behind your firewall.

- Jouni

Hi jouniforss,

This is My config on firewall ,l2 and l3 switch

on firewall config

int gi0/2

nameif dmz

ip address 192.168.10.1

security level 50

on l2 switch vlan 55 is created and port is assigned to vlan 55

on l3 nswitch again vlan55 is created  and port is assigned to valn 55.

As mentioned earlier a cable is directly connected from l3 switch to l2 switch with vlan 55 on both the ports.

Due to port limitivity on l2(dmz  switch ). On l3 switch server are assigned to vlan 55 with ip eg 192.168.10.2

mask 255.255.255.0 gateway 192.168.10.1

This is scenario so is there any draw backs?