Showing results for 
Search instead for 
Did you mean: 

Internal Network and DMZ behind Fabric Interconnect

Level 1
Level 1

Need help on design suggestion and risk involved

We have Fabric Interconnect and Servers /Clusters behind that Fabric Interconnect.

These Servers are grouped into clusters. One cluster is used for Internal Applications/Converged Infra, Other cluster is dedicated for DMZ applications

for LAn-internal zone , DC-Agg switch--> fabric Interconnect--> Cluster dedicated for Internal Zone applications
for DMZ zone, DMZ-Agg switch--> fabric Interconnect--> Cluster dedicated for DMZ applications

L3 Gateways for LAN /Internal applications are configured on DC-Agg LAN switch. L3 Gateways for DMZ applications are configured on DMZ Agg switches.

Fabric Interconnect has two uplinks to DC-Agg switch and We permitted required VLANs on it ( both from switch and FI)
there is another uplink from same fabric interconnect to DMZ switches and DMZ vlans are permitted on it.

if Server/application hosted on Internal cluster wanted to talk to DMZ Server:-
Forward path --> Internal Server--(through Fabric Interconnect)--DC-Agg LAN switch--> Firewall-->DMZ- Agg switch--(through Fabric Interconnect)--DMZ Server
Rerevse Path :- DMZ Server-->(through Fabric Interconnect)-->DMZ- Agg switch-->Firewall-->DC-Agg LAN switch-->(through Fabric Interconnect)--Internal Server

We have firewall between these two networks. But, since , DMZ and Internal Servers are behind same Fabric Interconnect, Is there any security risk


did anyone see security risk. Thanks in advance

1 Reply 1

Evan Mickel
Cisco Employee
Cisco Employee

You have effectively described a disjoint layer 2 network here if I am following you correctly:


This type of configuration is relatively common in the UCS to segregate lanes of traffic and avoid the default behavior of the UCS which is to forward all configured VLANs out of all configured uplinks.


So the concise answer to your question is no, as long as you've split up your VLANs and have verified that there is no crosstalk upstream, there shouldn't be any security concerns.  This by no means serves as a qualification or full validation of your design of course, but the theory is fine.





Review Cisco Networking for a $25 gift card