Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
0
Helpful
1
Replies

DMZ to Core connectivity

Go to solution
Steve Graham
Level 1
Level 1

‎12-15-2004 06:27 AM - edited ‎03-02-2019 08:36 PM

Hi,

I am in the process of redesigning the way our DMZ switch (Cat 2950G-48-EI) connects to our core. This connection would only be used for management of the switch remotely. Question is this: What would be the "best practices" way of implementing this? The DMZ switch is currently setup in transparent mode in regards to VTP. Any and all suggestions are appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paddyxdoyle
Level 6
Level 6

‎12-15-2004 07:12 AM

To be honest the best practice way to manage a DMZ switch would be by console port only with no IP connectity enabled on the switch, many customers i have worked with employ this on their DMZ's however this is not always practical in some enviroments.

If you need to do this then i would use:

a) Use protected ports so that the ports with server connections can only talk to the layer 3 device (firewall)

b) vty access lists permitting only authorised IP address to access the switch, if you can't do this as you need to access switch from many locations then consider using a locked down Unix box or similar as a gateway to this switch, perhaps your NMS server

c) disable telnet and use SSH which i think is available on 2950's

d) use SNMP access-lists to only permit SNMP read/write from your NMS.

HTH

Paddy

View solution in original post

0 Helpful
1 Reply 1

Go to solution
paddyxdoyle
Level 6
Level 6

‎12-15-2004 07:12 AM

To be honest the best practice way to manage a DMZ switch would be by console port only with no IP connectity enabled on the switch, many customers i have worked with employ this on their DMZ's however this is not always practical in some enviroments.

If you need to do this then i would use:

a) Use protected ports so that the ports with server connections can only talk to the layer 3 device (firewall)

b) vty access lists permitting only authorised IP address to access the switch, if you can't do this as you need to access switch from many locations then consider using a locked down Unix box or similar as a gateway to this switch, perhaps your NMS server

c) disable telnet and use SSH which i think is available on 2950's

d) use SNMP access-lists to only permit SNMP read/write from your NMS.

HTH

Paddy

0 Helpful
Customers Also Viewed These Support Documents