vlans for security

3rdrealm · ‎02-04-2007

I have a Cisco Catalyst 4506 Series switch and a Sonicwall firewall. The firewall has 2 ports one for LAN the other for a DMZ, could I setup a vlan on the switch to divide the LAN and DMZ traffic from the firewall so I do not need another switch? Would this be a good idea, or is there something I am missing?

Jon Marshall · ‎02-04-2007

Hi

There are pros and cons to doing this. In short yes you can do this and provided you were careful with your configuration it would provide a decent level of security.

1) Firstly you need to get rid of Vlan 1. Get rid in that you do not use it for any type of traffic. If you currently manage your switch off vlan 1 or have users on it migrate them off it and use a different vlan for management. In aadition if you are using trunks in your network make the native vlan something other than vlan 1.

2) Obviously you will need to make sure that there is no layer 3 SVI for the DMZ and that it is only routed off the Sonicwall.

3) Have a quick read up on vlan hopping which may or may not make you think twice about using the same switch.

i have worked at places where they have used a 4500 to create all the DMZ interfaces but then a separate switch for the internal network. I would feel relatively comfortable with this but i would think twice about your setup as a configuration mistake could be quite serious.

I have also worked at sites where their level of security dicatated separate switches for each DMZ.

In the end it comes down to what you are trying to protect and the likelihood of someone wanting to get to it.

HTH

Jon

johnsonjb · ‎12-14-2007

Hi Jon

I'm just curious, why would one not want to use Vlan 1 for managment?

I have done some research but also wanted to get your reasoning.

Thanks

Jeff

Jon Marshall · ‎02-04-2007

Hi

Should have included this link in previous post. It's on vlan security:-

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

HTH

Jon