Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2616
Views
10
Helpful
11
Replies

DMZ and Perimeter zone on the same switch

marine253
Level 1
Level 1

‎08-05-2018 08:16 AM - edited ‎03-08-2019 03:50 PM

Hello ,

 

Is it a good practice to have my perimeter zone ..routers etc.. (say in vlan 10) on a switch and then have my dmz (say vlan 20) connected to the same switch? Each zone will be in a dedicated vlan , but on the same switch. Of course a firewall will be connected to both vlans for inter-vlan routing/ips.

 

I've seen this setup at a lot of places , but would like to hear your views.

 

Thanks

 

Labels:
0 Helpful
11 Replies 11

cassiolange
Level 1
Level 1

‎08-05-2018 08:55 AM - edited ‎08-05-2018 08:55 AM

Hello Mariner,

 

I don't see any kind of issue in this scenario. You could use VRF to isolate the traffic. I have many customers running this scenario.

 

I have customers running BGP in switches using VRF for this.

 

Regards,

0 Helpful

marine253
Level 1
Level 1
In response to cassiolange

‎08-05-2018 09:01 AM

Thanks , but security audit is saying that a  vlan mis configuration or a bug would cause the traffic to mix.

Not sure how to respond to that.

0 Helpful

marine253
Level 1
Level 1
In response to marine253

‎08-05-2018 09:02 AM

Also , this is purely for layer 2 services. No L3 involved , so VRF is not applicable here.

0 Helpful

cassiolange
Level 1
Level 1
In response to marine253

‎08-05-2018 10:49 AM

Hello 

 

Bugs or misconfig can happens on FW too. :)
With two switch, more cable is necessary because the server guys need cable the server on both switches. The complexity of the configuration grow and on the end you have same topology, with more cables switches and cable.

In the past i saw customers start with two switch, one for lan other for dmz, and few months later you have a cable between the switches.

 

I agree with @Reza Sharifi, i don't thing this a problem.

 

I suggest put a VRF between FW and servers, because on this topology FW don't need learn every mac addresses from servers, don't need treat a multicast/broadast traffic from servers e etc.
Nowadays FW have a large cappacity for learn mac addresses, but that is not your function.

 

Good Luck,

 

Regards,

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame

‎08-05-2018 09:04 AM

Hi,

That should be fine. Whether you use one switch or 2, the vlans have to go to the firewall to communicate and that is where you want to deploy your policies anyway.

HTH 

0 Helpful

marine253
Level 1
Level 1
In response to Reza Sharifi

‎08-05-2018 09:08 AM

Yeah , that correct. Policies are configured on the firewall and it is securing all the zones.

 

But they are talking about vlan hopping , port mis-configuration or bug. Is this something we should be concerned of?

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to marine253

‎08-05-2018 09:51 AM

But they are talking about vlan hopping , port mis-configuration or bug. Is this something we should be concerned of?

I don't think so.

Here is a document (page 15) for security best practice on layer-2 devices.   As for misconfiguration and bugs, that could happen regardless of having one or 2 switches.

https://www.cisco.com/c/dam/global/en_ae/assets/exposaudi2009/assets/docs/layer2-attacks-and-mitigation-t.pdf

HTH

 

0 Helpful

marine253
Level 1
Level 1
In response to Reza Sharifi

‎08-05-2018 12:09 PM

thank you all for your comments. What if i told that this is for a bank :) convincing the auditors is harder than you might think :) 

0 Helpful

Karsten Iwen
VIP
VIP

‎08-05-2018 03:12 PM

I would address this problem a little bit different ...

If you configure everything correct, the one switch scenario is perfectly fine. And you really should look into device hardening (also with the document that Reza provided). But people do mistakes. And if you use separate switches, a misconfiguration will have less impact. And in a highly sensitive environment, a couple thousand bucks for separated hardware per security domain shouldn't be the problem.

Saying that: Because of budget-limits I most often combine the perimeter and public DMZ on one switch, and internal DMZ and the internal network on other switches (for example the core).

Laby Andrews
Level 1
Level 1
In response to Karsten Iwen

‎08-22-2021 10:46 AM

Thanks for the helpful inputs, What about using CORE SW for internal network & use with same sw with a separate L2 VLAN for external ISP terminations for  WAN links directly on internal switches. How to justify the risk vs cost saving for switches for a small organizations. Much appreciate if any doc which can help to  identify the potential risks and challenges w/o a separate switch for Perimeter.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Laby Andrews

‎08-23-2021 07:32 AM

Hello @Laby Andrews ,

there can be features unsupported on your core switches that you need for example NAT .

So usually a router or firewall  ( ideally a pair in HA) is used to terminate the WAN links.

 

You need to check this basic aspect.

 

Hope to help

Giuseppe

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card