Go Premium for a chance to win a PS4. Enter to Win


Is it safe for external traffic (DMZ) and internal traffic (local lan) seperated by vlans to be on the same Cisco 6509 switch?

Posted on 2011-03-23
Medium Priority
Last Modified: 2012-05-11
Is it safe for external traffic (DMZ) and internal traffic (local LAN) separated by vlans to be on the same Cisco 6509 switch?
Question by:kns_admin

Expert Comment

ID: 35202699
I think it depends on what you mean by safe.
If you have 2 vlans and the switch is layer 2 only (ie: wont route between vlans), and have the vlans meet at a firewall, then this should be OK.

While vlans are getting better and the devices are getting better, there are still some tricks that can sometimes allow a vlan hop.  So it is important to ensure your setup of the vlans and routing is spot on.

If the switch is a layer3 switch, DONT assign an ip address to the DMZ vlan, and avoid the inside vlan having an IP Address if you can.  Make sure these meet at a firewall.

I still prefer to physically seperate, but do use vlans for the set of DMZ zones I have (I have 3 at the moment).  where all 3 vlans are trunked to my firewall and non of the DMZ vlans on the switch have an IP Assigned to them - Layer 2 only.  Then my inside networks are on physically seperate switchs.

Safe and secure depends really one what you are trying to protect agenst.

eg: If you have a web server in the DMZ.  Your firewall allows port 80 to the web server.  At this point vlans are fine as the traffic is via the firewall to the web server only.  BUT what happens if the hacker can run code on your web server.  What can the web server get access to.  If the web server is allowed to open a connection to you inside network (eg: NT Username/Password check) then the hacker on your web server can do the same.  The VLAN is no less secure as your rules allowed it to happen.  I do my best to say that a DMZ computer can NOT open a conection to anyware, simple respond to inbound connections.  This way if a hacker gets on, they can back channel data on their inbound connection, but cant open a new connection to  the net or other networks.

LVL 18

Expert Comment

ID: 35202942
I'd wager the biggest potential problem is misconfiguration, not actual VLAN-hopping attacks, and for that reason, I'd be inclined to put the DMZ on its own switch.  But, I agree, as long as there is no VLAN interface for the DMZ VLAN, it should be OK.
LVL 79

Expert Comment

ID: 35203131
Agree with above.
I'm OK with putting DMZ and local traffic on VLAN's off the same switch, just not External Public interfaces and DMZ and Internal like I've seen some try to do.... (with and without actual vlan's -- oh, my!)
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.


Author Comment

ID: 35206294
Thanks for the comments.

Our case is a website/app server with a public IP available to public which connects to a database server on our local LAN. The traffic between internal and external servers is controlled by our firewall.

Currently we have separate switches for our external public IP range.The idea is to get rid of separate switches and run everything on Core Switch via VLANs. The would be make management somewhat easier.

Cisco says that VLANs are as safe as physical ports but then goes on to talk about VLAN hopping and STP vunerablitites. This is where my confusion lies?  

Accepted Solution

m_walker earned 2000 total points
ID: 35211154
When you think about security it is on many levels.
Are VLANs safe (yes and no).  If configured correctly then they can be.  If the switch is not 100% spot on then the layer3 level can be come a router. thus bypass your firewall.  if someone can connect to the switch (from outside) then the can re-program it to give more access to the insde of your network and some layer 3 switchs supprt nat to make it easier.  So the trick it to make sure its 100% locked down and IP Address are not setup where the are not needed and so on.  the physical switch for outside means that if its hacked, the can get any more then they had before.

If you layer 2 switch only marks inbound packets with the vlan ID id the ID is NOT set, then a remote user can pre-tag the packet with a different vlan id and could get vlan hop.  I use the word "could" as other things can affect this attach.
The basic idea here is...
You Inside network Vlan id 10
Remote user sends a packet with vlan 10 set.
An incorrectly setup switch sees the id 10 and puts that packet into vlan 10, then does normal routing.
Simple fix here is to drop the vlan tag ID (if set) and reset to the vlan attached to that port.
Then the hacker puts vlan id 10 and then another vlan id 10,  (or maybe the switch does not drop the vlan tag, it simply adds the new one.  Then when the packet exists and the vlan id is dropped, the original one still exists, so a down stream switch (my have a mis-config).

To use a single switch on the outside and vlans, make sure its locked down 100%.  Make sure the outside vlan is un-numbered (no ip address on the vlan) , Make sure the outside vlan goes is ONLY trunked to your firewall.  Make sure you vty connections can only come from an inside interface and restirct the IP as well.  
Make sure you fully understand how the swtich will deal with vlan tagging and how that could have an affect some where else in your network.
At the very least dont use any real/routeable IP addresses on the switch, eg: 10.x.x.x 172.16-172.31 at least that way most interent routes will drop the packet if sent to those IP Addresses.

I think you get the picture, you can and it can be safe, but you must get the config 100% and you must trust the vlan process that the switch does.

At the end of the day its risk management.  This means nothing is 100% safe, but is this good enough for the level of security that we need.  To be 100% safe you would not connect to the internet for starters.... but thats not an option.

good luck.

Author Closing Comment

ID: 35324482

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question