cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
193
Views
0
Helpful
1
Replies
Steve Graham
Beginner

DMZ to Core connectivity

Hi,

I am in the process of redesigning the way our DMZ switch (Cat 2950G-48-EI) connects to our core. This connection would only be used for management of the switch remotely. Question is this: What would be the "best practices" way of implementing this? The DMZ switch is currently setup in transparent mode in regards to VTP. Any and all suggestions are appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
paddyxdoyle
Frequent Contributor

To be honest the best practice way to manage a DMZ switch would be by console port only with no IP connectity enabled on the switch, many customers i have worked with employ this on their DMZ's however this is not always practical in some enviroments.

If you need to do this then i would use:

a) Use protected ports so that the ports with server connections can only talk to the layer 3 device (firewall)

b) vty access lists permitting only authorised IP address to access the switch, if you can't do this as you need to access switch from many locations then consider using a locked down Unix box or similar as a gateway to this switch, perhaps your NMS server

c) disable telnet and use SSH which i think is available on 2950's

d) use SNMP access-lists to only permit SNMP read/write from your NMS.

HTH

Paddy

View solution in original post

1 REPLY 1
paddyxdoyle
Frequent Contributor

To be honest the best practice way to manage a DMZ switch would be by console port only with no IP connectity enabled on the switch, many customers i have worked with employ this on their DMZ's however this is not always practical in some enviroments.

If you need to do this then i would use:

a) Use protected ports so that the ports with server connections can only talk to the layer 3 device (firewall)

b) vty access lists permitting only authorised IP address to access the switch, if you can't do this as you need to access switch from many locations then consider using a locked down Unix box or similar as a gateway to this switch, perhaps your NMS server

c) disable telnet and use SSH which i think is available on 2950's

d) use SNMP access-lists to only permit SNMP read/write from your NMS.

HTH

Paddy