cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2714
Views
10
Helpful
11
Replies

DMZ and Perimeter zone on the same switch

marine253
Level 1
Level 1

Hello ,

 

Is it a good practice to have my perimeter zone ..routers etc.. (say in vlan 10) on a switch and then have my dmz (say vlan 20) connected to the same switch? Each zone will be in a dedicated vlan , but on the same switch. Of course a firewall will be connected to both vlans for inter-vlan routing/ips.

 

I've seen this setup at a lot of places , but would like to hear your views.

 

Thanks

 

11 Replies 11

cassiolange
Level 1
Level 1

Hello Mariner,

 

I don't see any kind of issue in this scenario. You could use VRF to isolate the traffic. I have many customers running this scenario.

 

I have customers running BGP in switches using VRF for this.

 

Regards,

Thanks , but security audit is saying that a  vlan mis configuration or a bug would cause the traffic to mix.

Not sure how to respond to that.

Also , this is purely for layer 2 services. No L3 involved , so VRF is not applicable here.

Hello 

 

Bugs or misconfig can happens on FW too. :)
With two switch, more cable is necessary because the server guys need cable the server on both switches. The complexity of the configuration grow and on the end you have same topology, with more cables switches and cable.

In the past i saw customers start with two switch, one for lan other for dmz, and few months later you have a cable between the switches.

 

I agree with @Reza Sharifi, i don't thing this a problem.

 

I suggest put a VRF between FW and servers, because on this topology FW don't need learn every mac addresses from servers, don't need treat a multicast/broadast traffic from servers e etc.
Nowadays FW have a large cappacity for learn mac addresses, but that is not your function.

 

Good Luck,

 

Regards,

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

That should be fine. Whether you use one switch or 2, the vlans have to go to the firewall to communicate and that is where you want to deploy your policies anyway.

HTH 

Yeah , that correct. Policies are configured on the firewall and it is securing all the zones.

 

But they are talking about vlan hopping , port mis-configuration or bug. Is this something we should be concerned of?

But they are talking about vlan hopping , port mis-configuration or bug. Is this something we should be concerned of?

I don't think so.

Here is a document (page 15) for security best practice on layer-2 devices.   As for misconfiguration and bugs, that could happen regardless of having one or 2 switches.

https://www.cisco.com/c/dam/global/en_ae/assets/exposaudi2009/assets/docs/layer2-attacks-and-mitigation-t.pdf

HTH

 

thank you all for your comments. What if i told that this is for a bank :) convincing the auditors is harder than you might think :) 

I would address this problem a little bit different ...

If you configure everything correct, the one switch scenario is perfectly fine. And you really should look into device hardening (also with the document that Reza provided). But people do mistakes. And if you use separate switches, a misconfiguration will have less impact. And in a highly sensitive environment, a couple thousand bucks for separated hardware per security domain shouldn't be the problem.

Saying that: Because of budget-limits I most often combine the perimeter and public DMZ on one switch, and internal DMZ and the internal network on other switches (for example the core).

Thanks for the helpful inputs, What about using CORE SW for internal network & use with same sw with a separate L2 VLAN for external ISP terminations for  WAN links directly on internal switches. How to justify the risk vs cost saving for switches for a small organizations. Much appreciate if any doc which can help to  identify the potential risks and challenges w/o a separate switch for Perimeter.

Hello @Laby Andrews ,

there can be features unsupported on your core switches that you need for example NAT .

So usually a router or firewall  ( ideally a pair in HA) is used to terminate the WAN links.

 

You need to check this basic aspect.

 

Hope to help

Giuseppe

 

Review Cisco Networking for a $25 gift card