In my opinion you can consolidate multiple switches into two and still maintain adequate security provided there are no mis-configurations. I would not go as far as merging all switches into one as there should be at least two for adequate redundancy but as far as supporting multiple security zones is concerned you can use VLANs to achieve the desired result. Some organizations have a security policy that mandates logical as well as physical separation between individual security zones and in that case you do not have much choice.

If this is for a data center or an installation that will grow on you then I do not recommend putting the users on the same switch as the servers and the network services devices (firewalls, load balancers).

thanks. my only concern is that even using vlans packets from two different vlans are tagged and sent across the same backplane. in this senario theonly thing seperating my packets at a switch level from external packets and internal is just the vlan, although they are eventually switched to fw and such. do u know of any vulnerabilities or exploits that could compromise me in this situtation assuming there are no config errors?

There is this known Layer-2 attack normally referred to as 'VLAN Hopping' but it can be successfully executed only if you have left your configuration to the default or have misconfigured the switch. It should be noted that VLAN hopping is a unidirectional attack.

I will highlight it again that if there are no misconfigurations and provided there are no software bugs that can lead to open holes, you are secure when you logically isolate traffic via VLANs. I do not think you should be concerned about the backplane being used to pass all traffic; do you think that the firewall has separate data buses for each security zone?

thanks for the post. it is really helping out a lot. haha my mom says I think too much, but here is another question. first off thanks for stressing the point that of I lnow what om doing and don't screw iup my config or if there are no bugs then I should be fine. o like your fw swcurity context analogy. (btw sorry for the typos, rsping from my treo700). so anyways on with my question. if I were to plug all security devices into one 10/100/1000 module on the switch then technicaally all security vlan traffic would remain on that module and have no reason to travel across the BP? (btw I'm not familiar with how switching works on modular chasis) also can u prune vlans from specific switch mods? I'm thinking no. iif its anything like sttacking 3750 the stack becomes one switch and u can prune anymore. again thnx for the help.

It really depends on the architecture of the switch one is dealing with; in some architectures all traffic hits the backplane and in some distributed architectures the modules have their own intelligence and are capable of switching traffic locally. I would like to stress again on the fact that packets from different VLANs passing on the same backplane is not a security threat. But if you are overly concerned about it then maybe it is better you stick with separate physical devices . Regarding the capability to prune VLANs from specific switch modules; well what you do is you explicitly configure the VLANs a port or a group of ports belong to and unless you explicity allow bridging or routing between them there is pretty much no way one VLAN can see traffic from another VLAN (again with the exception of bugs or misconfigurations). This is my point of view but I am sure there will be someone out there that will have a different point of view.

hey thanks for your input it's defenatly been great so far!