Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
1
Replies

DMZ Design

NotOfEarth
Level 1
Level 1

‎06-21-2016 04:31 PM - edited ‎03-12-2019 12:55 AM

I have a DMZ that has a Cisco Nexus switch with VRFs as well as a physical firewall.  Is it common in a DMZ environment to put the gateways for the DMZ systems on a Nexus VRF? Or should they be on the physical firewall?  If they are on the VRF, then it would be much easier for a misconfiguration to allow traffic between two subnets where traffic shouldn't flow.  If they are on the physical firewall, then there is a greater performance hit to the firewall to process more traffic, but greater visibility and centralized enforcement traffic flow policies between subnets.

Your experiences and recommendations welcome...

Labels:
0 Helpful
1 Reply 1

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-21-2016 05:06 PM

The routing needs to be symmetric.  It is is just a single subnet I would take the Nexus switch out of that network (at a layer 3 level) and just run everything through the firewall.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card