Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2097
Views
1
Helpful
6
Replies

DMZ switches placement

timothy_MTS
Level 1
Level 1

‎07-04-2023 08:10 PM

Hello everyone,

The diagram attached shows my current office setup. We are going to replace the two c3560 switches (DMZ switches) by c9200L. As you may see that the two c3560 DMZ switches are connected to the access layer switches. I am thinking that the new c9200L switches are to be connected to our core Nexus 9300 switches through fiber optics 1G. Or maybe I can simply use the fiber optics to the Access layer switches with fiber (or just like the current one with 1000Base T cables).

Is there any security concerns if I connect the c9200 DMZ switches to the core switches?

Regards,

Timothy

Labels:
Preview file
173 KB
0 Helpful
6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

‎07-04-2023 09:10 PM

Timothy

There are some things in your diagram that I do not understand. It shows the 3560 connected to firewalls, as I would expect for DMZ switches. However the 9200 is shown as connected to core and not to firewall. How will 9200 DMZ function if it is not connected to firewall?

HTH

Rick
0 Helpful

M02@rt37
VIP
VIP

‎07-04-2023 09:48 PM

Hello @timothy_MTS,

Same question as @Richard Burts.

Please more elaborate. 

You talk about DMZ because SW3560 are connected to ASA's DMZ ports ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

timothy_MTS
Level 1
Level 1

‎07-05-2023 02:27 PM

Oops sorry for that.

The c3560 switches are the existing switches connecting those ASA as well as the internet links. They are currently connected to the Access layer c2960XR switches, and then connected with the Core Nexus 9300 switches.

The new c9200L are the newly bought switches that are not in production, but just waiting for my action on what to configure next. And that means, once if I decided, I will get rid of those c3650 switches and replaced by these c9200L switches. And those port-channel between the Core Switches and c9200L are not implemented yet.

Thanks again.

Timothy

0 Helpful

MHM Cisco World
VIP
VIP
In response to timothy_MTS

‎07-06-2023 01:41 AM

if the OLD c3560 is connect to INside of ASA then new c9200L MUST connect to INside of ASA NOT to DMZ 

0 Helpful

timothy_MTS
Level 1
Level 1
In response to MHM Cisco World

‎07-06-2023 02:14 PM

Thanks @MHM Cisco World I will definitely do the same as the old c3560 to keep my live easier.

 

timothy_MTS
Level 1
Level 1

‎07-06-2023 02:45 PM - edited ‎07-06-2023 02:46 PM

I now attached another diagram to correct some misunderstandings.

In the diagram, those dotted lines are not connected. This is proposed only. I am not so sure if this is a good idea to place the DMZ switches directly with the Core Switches (Nexus 9300 series) rather than to the Access layer switches.

Preview file
156 KB
0 Helpful
Customers Also Viewed These Support Documents