Showing results for 
Search instead for 
Did you mean: 

DMZ Design


I need to create a DMZ where VMs in my environment can be accessed from the public internet.  The current plan is:

-Have a single firewall that is connected to a 7000K switch.  There will be both a DMZ subnet and internal network subnets sharing the same physical switch, and travelling in and out the same physical switch trunk ports to various ESXi hosts.  The traffic will be separted only by being tagged with different vLAN tags, and by creating firewall rules to that control what communication can happen to and from the DMZ subnet.


Is this a viable "DMZ" design or does DMZ traffic need to be on a different physical switch or at least not trunked on the same switch ports? 


Collin Clark

This would fail any regulated security audit.

OK thanks. Is there any reference documentation to define exactly what a regulated audit is looking for in DMZ design?  Is there a specific document or link I can point to that sets out what the requirements are?  When you say regulated audit are you talking specifically PCI-DSS, Sarbanes Oxley, NIST, FISMA, or all of the above?  Which audits are "regulated"?

By regulated I mean PCI, DISA, etc. You can check out the CVD for internet edge at

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: