- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2012 06:56 AM - edited 03-11-2019 03:54 PM
Is it a security issue or concern to add the Internet router on the same DMZ switch but on a different VLAN. To make the question clear here is the setup.
The Internet router in on the outside interface of an ASA firewall and the DMZ switch is on the DMZ interface of the Firewall with a security level of 50.
Sent from Cisco Technical Support iPad App
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2012 04:55 AM
Hi H,
There are no security concerns if you plug the DMZ interface and the Internet Router on the same switch until they are separated in differet vlans with correct cofiguration.
Thanks,
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2012 04:46 AM
Can anyone help out please?
Regards,
H

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2012 04:55 AM
Hi H,
There are no security concerns if you plug the DMZ interface and the Internet Router on the same switch until they are separated in differet vlans with correct cofiguration.
Thanks,
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2012 05:02 AM
What about the L2 attacks ( VLAN hopping for example? )

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2012 05:23 AM
Hi H,
For that your configurations needs to be strict, no traffic should be allowed over native vlans, instead they should be specified in access vlans. Do not set the trunks to auto negotiate. Such steps can be taken to mitigate such L2 attacks and gain access to your DMZ resources without passing through the ASA.
Thanks,
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2012 05:29 AM
To answer it in simple there is no security concern with the Internet router on the DMZ switch but you need take care of all the L2 Layer type of attack by hardening the Switch configuration.
