Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
0
Helpful
2
Replies

Can't get my head around this design

ppauly
Level 1
Level 1

‎03-02-2010 07:06 AM - edited ‎03-11-2019 10:16 AM

Please take a look at the attached image, or see here:  http://imgur.com/oSE9v.png

Basically, I want the DMZ network to be available on a vlan in every rack (with 4948 rack switches) in my small datacenter. I also want the DMZ to be easily accessible from the inner networks, but and ACL should control what the DMZ servers can get to on the inside.

Will the attached design work, or is this foolish?

Who advertises the DMZ network, the PIX or the 6500?

How do I keep the 6500 from routing packets between the inner networks and the DMZ?  The PIX should be the only thing that routes packets between those networks, right?

Labels:
Preview file
16 KB
0 Helpful
2 Replies 2

ppauly
Level 1
Level 1

‎03-02-2010 07:22 AM

Also, thanks Cisco for displaying my email address for spammers even though my profile says to hide it.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎03-02-2010 07:33 AM 

ppauly@imcpl.org
Please take a look at the attached image, or see here:  http://imgur.com/oSE9v.png
Basically, I want the DMZ network to be available on a vlan in every rack (with 4948 rack switches) in my small datacenter. I also want the DMZ to be easily accessible from the inner networks, but and ACL should control what the DMZ servers can get to on the inside.
Will the attached design work, or is this foolish?
Who advertises the DMZ network, the PIX or the 6500?
How do I keep the 6500 from routing packets between the inner networks and the DMZ?  The PIX should be the only thing that routes packets between those networks, right?

The L3 interface for the outside and DMZ interfaces must only be on the pix and not on the 6500 otherwise you will route around the firewall. So when you say who advertises the DMZ, that would be the pix although it does depend what you mean by advertise ie. you could have a static route on the 6500 for the DMZ servers pointing the pix DMZ interface. As long as there are no L3 SVIs on the 6500 for the DMZ and outside interface you should be fine.

As for whether it is fooolish, no not really. You do need to be careful because you have collapsed the outside/dmz/inside onto the 6500 chassis so a misconfiguration could open up a security hole. Using separate switches is always that little bit more secure but your design is perfectly valid.

Make sure when you configure your trunk links between the 6500 and the 4900 switches that you only allow the specific vlans you want ie. make sure you do not allow the outside vlan on the trunks. Often you find that a separate switch is used for the outside facing subnet ie. the subnet between the outside interface of the firewall and the upstream router. You don't have to but if you don't you need to be extra careful with your config.

Finally because you are really using vlans to provide security as opposed to physcially separate switches you need to be aware of vlan security issues and mitigate against them ie. turn off vlan 1 and don't use it, change your native vlan or tag the native vlan etc. See this link to doc about vlan security on Cisco 6500 switches, most of it is relevant to other switches as well -

6500 vlan security

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card