Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1217
Views
5
Helpful
4
Replies

DMZ & Internet Switches

Go to solution
adamgibs7
Level 6
Level 6

‎12-07-2022 01:30 PM - edited ‎12-07-2022 01:31 PM

Dears

Pls refer to the attached diagram, i don't have sperate internet switches so planning to connect ISP internet links on the DMZ switch with secure configuration, i m planning to create a Private vlan and port types community in which port 1-6 will be added to community vlan 200, these community vlans will not speak to any other DMZ server vlans of the switch except in their community. 

Please confirm to me is it a good decision or it is better to buy 3560C- 8 port switch for ISP routers to keep it physically separate.

Traffic Flow: Server traffic needs to go to the internet

Server -- Ext-FW DMZ port-- Ext FW External port connect  on port 3 that is configured as community vlan 100 and port 1 of switch is also in same community vlan 100.

Traffic Flow: User traffic needs to go to the internet

User traffic ---- INT FW --INT-SW--- Ext-FW INTERNAL port-- Ext FW External port connect  on port 3 that is configured as community vlan 100 and port 1 of switch is also in same community vlan 100

Thanks

Labels:
Preview file
15 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to adamgibs7

‎12-12-2022 04:37 AM

When the switch has no layer 3 exposure, it is essentially invisible to anything not directly attached to it.

Internet traffic is carried via TCP/IP. No TCP/IP on the device means it cannot be addressed (or hacked) via TCP/IP.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-08-2022 05:30 AM

In my experience most people don't go to the trouble of creating private VLANs in such cases. Just use a switch without any layer 3 services, interfaces or routing enabled and segregate your outside and DMZ VLANs on it. Ideally it's a switch that has an out-of-band Mgmt0 or similar interface that you can use to monitor and manage it or else a console port connected to a console server.

Go to solution
MHM Cisco World
VIP
VIP

‎12-08-2022 03:38 PM

if the External FW run as Failover then you need SW to interconnect OUT of both Ext FW.

0 Helpful

Go to solution
adamgibs7
Level 6
Level 6
In response to MHM Cisco World

‎12-10-2022 12:59 AM - edited ‎12-10-2022 01:55 AM

Dear marvin

If the switch is acting as Layer 2 without IP addressing or layer 3 capabilities that means it is less susceptible for hacking or attack ?  and it is also a best practices on aspect of security for DMZ switches ?

thanks 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to adamgibs7

‎12-12-2022 04:37 AM

When the switch has no layer 3 exposure, it is essentially invisible to anything not directly attached to it.

Internet traffic is carried via TCP/IP. No TCP/IP on the device means it cannot be addressed (or hacked) via TCP/IP.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card