12-07-2022 01:30 PM - edited 12-07-2022 01:31 PM
Dears
Pls refer to the attached diagram, i don't have sperate internet switches so planning to connect ISP internet links on the DMZ switch with secure configuration, i m planning to create a Private vlan and port types community in which port 1-6 will be added to community vlan 200, these community vlans will not speak to any other DMZ server vlans of the switch except in their community.
Please confirm to me is it a good decision or it is better to buy 3560C- 8 port switch for ISP routers to keep it physically separate.
Traffic Flow: Server traffic needs to go to the internet
Server -- Ext-FW DMZ port-- Ext FW External port connect on port 3 that is configured as community vlan 100 and port 1 of switch is also in same community vlan 100.
Traffic Flow: User traffic needs to go to the internet
User traffic ---- INT FW --INT-SW--- Ext-FW INTERNAL port-- Ext FW External port connect on port 3 that is configured as community vlan 100 and port 1 of switch is also in same community vlan 100
Thanks
Solved! Go to Solution.
12-12-2022 04:37 AM
When the switch has no layer 3 exposure, it is essentially invisible to anything not directly attached to it.
Internet traffic is carried via TCP/IP. No TCP/IP on the device means it cannot be addressed (or hacked) via TCP/IP.
12-08-2022 05:30 AM
In my experience most people don't go to the trouble of creating private VLANs in such cases. Just use a switch without any layer 3 services, interfaces or routing enabled and segregate your outside and DMZ VLANs on it. Ideally it's a switch that has an out-of-band Mgmt0 or similar interface that you can use to monitor and manage it or else a console port connected to a console server.
12-08-2022 03:38 PM
if the External FW run as Failover then you need SW to interconnect OUT of both Ext FW.
12-10-2022 12:59 AM - edited 12-10-2022 01:55 AM
Dear marvin
If the switch is acting as Layer 2 without IP addressing or layer 3 capabilities that means it is less susceptible for hacking or attack ? and it is also a best practices on aspect of security for DMZ switches ?
thanks
12-12-2022 04:37 AM
When the switch has no layer 3 exposure, it is essentially invisible to anything not directly attached to it.
Internet traffic is carried via TCP/IP. No TCP/IP on the device means it cannot be addressed (or hacked) via TCP/IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide