wilsj
asked on
cat 2960
Hey All,
We just got some new cisco 2960 switches. I was wondering if it is ok to put the DMZ on this switch along with other networks. For example could I leave the DMZ in the native vlan and just plug the DMZ interface into the switch as well and still configure other vlans on this switch or should the DMZ be on its own seperate switch?
We just got some new cisco 2960 switches. I was wondering if it is ok to put the DMZ on this switch along with other networks. For example could I leave the DMZ in the native vlan and just plug the DMZ interface into the switch as well and still configure other vlans on this switch or should the DMZ be on its own seperate switch?
Les Moore
That depends. Mostly on your security requirements. It would be most secure to have physical separation of DMZ vs Inside switches, but that's a big waste for 2-3 ports to be used in a DMZ. VLAN's are fine, just don't use the native vlan for the DMZ. Create a new vlan for DMZ and assign the ports you need to that vlan.
ASKER
Ok, couple questions lets say I use VLAN32
1. I would put the DMZ interface of the pix in VLAN32 along with the servers right?
2. would I have to creat an ip route statement to point to the DMZ interface for the pix? Or would this send the other vlan traffic to the pix interface as well?
1. I would put the DMZ interface of the pix in VLAN32 along with the servers right?
2. would I have to creat an ip route statement to point to the DMZ interface for the pix? Or would this send the other vlan traffic to the pix interface as well?
1. Correct.
2. No. This would be a pure L2 connection. No other traffic from any other vlan would hit the PIX. The PIX' DMZ interface would be the default gateway for the DMZ servers
2. No. This would be a pure L2 connection. No other traffic from any other vlan would hit the PIX. The PIX' DMZ interface would be the default gateway for the DMZ servers
ASKER
Ok, one more question hopefully.
1. If I create other VLANS on this switch and create a trunk port to my 3560 and configure VTP will all the traffic go where it is supposed to? Or am I missing something?
1. If I create other VLANS on this switch and create a trunk port to my 3560 and configure VTP will all the traffic go where it is supposed to? Or am I missing something?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is the version that I have.
I believe I will keep the DMZ to one switch. We don't need that many ports anyway.
So for that I would just enable vtp pruning on the VTP server switch right?
I believe I will keep the DMZ to one switch. We don't need that many ports anyway.
So for that I would just enable vtp pruning on the VTP server switch right?
ASKER
Thanks a lot for your help again irmoore. This is what I did and everything works fine.
1.Created vlan32
2.Enabled VTP pruning
3.Added the 2960 to the vtp domain
1.Created vlan32
2.Enabled VTP pruning
3.Added the 2960 to the vtp domain