08-05-2018 08:16 AM - edited 03-08-2019 03:50 PM
Hello ,
Is it a good practice to have my perimeter zone ..routers etc.. (say in vlan 10) on a switch and then have my dmz (say vlan 20) connected to the same switch? Each zone will be in a dedicated vlan , but on the same switch. Of course a firewall will be connected to both vlans for inter-vlan routing/ips.
I've seen this setup at a lot of places , but would like to hear your views.
Thanks
08-05-2018 08:55 AM - edited 08-05-2018 08:55 AM
Hello Mariner,
I don't see any kind of issue in this scenario. You could use VRF to isolate the traffic. I have many customers running this scenario.
I have customers running BGP in switches using VRF for this.
Regards,
08-05-2018 09:01 AM
Thanks , but security audit is saying that a vlan mis configuration or a bug would cause the traffic to mix.
Not sure how to respond to that.
08-05-2018 09:02 AM
Also , this is purely for layer 2 services. No L3 involved , so VRF is not applicable here.
08-05-2018 10:49 AM
Hello
Bugs or misconfig can happens on FW too. :)
With two switch, more cable is necessary because the server guys need cable the server on both switches. The complexity of the configuration grow and on the end you have same topology, with more cables switches and cable.
In the past i saw customers start with two switch, one for lan other for dmz, and few months later you have a cable between the switches.
I agree with @Reza Sharifi, i don't thing this a problem.
I suggest put a VRF between FW and servers, because on this topology FW don't need learn every mac addresses from servers, don't need treat a multicast/broadast traffic from servers e etc.
Nowadays FW have a large cappacity for learn mac addresses, but that is not your function.
Good Luck,
Regards,
08-05-2018 09:04 AM
Hi,
That should be fine. Whether you use one switch or 2, the vlans have to go to the firewall to communicate and that is where you want to deploy your policies anyway.
HTH
08-05-2018 09:08 AM
Yeah , that correct. Policies are configured on the firewall and it is securing all the zones.
But they are talking about vlan hopping , port mis-configuration or bug. Is this something we should be concerned of?
08-05-2018 09:51 AM
But they are talking about vlan hopping , port mis-configuration or bug. Is this something we should be concerned of?
I don't think so.
Here is a document (page 15) for security best practice on layer-2 devices. As for misconfiguration and bugs, that could happen regardless of having one or 2 switches.
HTH
08-05-2018 12:09 PM
thank you all for your comments. What if i told that this is for a bank :) convincing the auditors is harder than you might think :)
08-05-2018 03:12 PM
I would address this problem a little bit different ...
If you configure everything correct, the one switch scenario is perfectly fine. And you really should look into device hardening (also with the document that Reza provided). But people do mistakes. And if you use separate switches, a misconfiguration will have less impact. And in a highly sensitive environment, a couple thousand bucks for separated hardware per security domain shouldn't be the problem.
Saying that: Because of budget-limits I most often combine the perimeter and public DMZ on one switch, and internal DMZ and the internal network on other switches (for example the core).
08-22-2021 10:46 AM
Thanks for the helpful inputs, What about using CORE SW for internal network & use with same sw with a separate L2 VLAN for external ISP terminations for WAN links directly on internal switches. How to justify the risk vs cost saving for switches for a small organizations. Much appreciate if any doc which can help to identify the potential risks and challenges w/o a separate switch for Perimeter.
08-23-2021 07:32 AM
Hello @Laby Andrews ,
there can be features unsupported on your core switches that you need for example NAT .
So usually a router or firewall ( ideally a pair in HA) is used to terminate the WAN links.
You need to check this basic aspect.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide