Is it safe for external traffic (DMZ) and internal traffic (local lan) seperated by vlans to be on the same Cisco 6509 switch?

Posted on 2011-03-23
Last Modified: 2012-05-11
Is it safe for external traffic (DMZ) and internal traffic (local LAN) separated by vlans to be on the same Cisco 6509 switch?
Question by:kns_admin

Expert Comment

ID: 35202699
I think it depends on what you mean by safe.
If you have 2 vlans and the switch is layer 2 only (ie: wont route between vlans), and have the vlans meet at a firewall, then this should be OK.

While vlans are getting better and the devices are getting better, there are still some tricks that can sometimes allow a vlan hop.  So it is important to ensure your setup of the vlans and routing is spot on.

If the switch is a layer3 switch, DONT assign an ip address to the DMZ vlan, and avoid the inside vlan having an IP Address if you can.  Make sure these meet at a firewall.

I still prefer to physically seperate, but do use vlans for the set of DMZ zones I have (I have 3 at the moment).  where all 3 vlans are trunked to my firewall and non of the DMZ vlans on the switch have an IP Assigned to them - Layer 2 only.  Then my inside networks are on physically seperate switchs.

Safe and secure depends really one what you are trying to protect agenst.

eg: If you have a web server in the DMZ.  Your firewall allows port 80 to the web server.  At this point vlans are fine as the traffic is via the firewall to the web server only.  BUT what happens if the hacker can run code on your web server.  What can the web server get access to.  If the web server is allowed to open a connection to you inside network (eg: NT Username/Password check) then the hacker on your web server can do the same.  The VLAN is no less secure as your rules allowed it to happen.  I do my best to say that a DMZ computer can NOT open a conection to anyware, simple respond to inbound connections.  This way if a hacker gets on, they can back channel data on their inbound connection, but cant open a new connection to  the net or other networks.

LVL 18

Expert Comment

ID: 35202942
I'd wager the biggest potential problem is misconfiguration, not actual VLAN-hopping attacks, and for that reason, I'd be inclined to put the DMZ on its own switch.  But, I agree, as long as there is no VLAN interface for the DMZ VLAN, it should be OK.
LVL 79

Expert Comment

ID: 35203131
Agree with above.
I'm OK with putting DMZ and local traffic on VLAN's off the same switch, just not External Public interfaces and DMZ and Internal like I've seen some try to do.... (with and without actual vlan's -- oh, my!)
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 35206294
Thanks for the comments.

Our case is a website/app server with a public IP available to public which connects to a database server on our local LAN. The traffic between internal and external servers is controlled by our firewall.

Currently we have separate switches for our external public IP range.The idea is to get rid of separate switches and run everything on Core Switch via VLANs. The would be make management somewhat easier.

Cisco says that VLANs are as safe as physical ports but then goes on to talk about VLAN hopping and STP vunerablitites. This is where my confusion lies?  

Accepted Solution

m_walker earned 500 total points
ID: 35211154
When you think about security it is on many levels.
Are VLANs safe (yes and no).  If configured correctly then they can be.  If the switch is not 100% spot on then the layer3 level can be come a router. thus bypass your firewall.  if someone can connect to the switch (from outside) then the can re-program it to give more access to the insde of your network and some layer 3 switchs supprt nat to make it easier.  So the trick it to make sure its 100% locked down and IP Address are not setup where the are not needed and so on.  the physical switch for outside means that if its hacked, the can get any more then they had before.

If you layer 2 switch only marks inbound packets with the vlan ID id the ID is NOT set, then a remote user can pre-tag the packet with a different vlan id and could get vlan hop.  I use the word "could" as other things can affect this attach.
The basic idea here is...
You Inside network Vlan id 10
Remote user sends a packet with vlan 10 set.
An incorrectly setup switch sees the id 10 and puts that packet into vlan 10, then does normal routing.
Simple fix here is to drop the vlan tag ID (if set) and reset to the vlan attached to that port.
Then the hacker puts vlan id 10 and then another vlan id 10,  (or maybe the switch does not drop the vlan tag, it simply adds the new one.  Then when the packet exists and the vlan id is dropped, the original one still exists, so a down stream switch (my have a mis-config).

To use a single switch on the outside and vlans, make sure its locked down 100%.  Make sure the outside vlan is un-numbered (no ip address on the vlan) , Make sure the outside vlan goes is ONLY trunked to your firewall.  Make sure you vty connections can only come from an inside interface and restirct the IP as well.  
Make sure you fully understand how the swtich will deal with vlan tagging and how that could have an affect some where else in your network.
At the very least dont use any real/routeable IP addresses on the switch, eg: 10.x.x.x 172.16-172.31 at least that way most interent routes will drop the packet if sent to those IP Addresses.

I think you get the picture, you can and it can be safe, but you must get the config 100% and you must trust the vlan process that the switch does.

At the end of the day its risk management.  This means nothing is 100% safe, but is this good enough for the level of security that we need.  To be 100% safe you would not connect to the internet for starters.... but thats not an option.

good luck.

Author Closing Comment

ID: 35324482

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Use of vpn-filter value  in S2S VPN 2 49
Cisco Edge Routers for BGP 6 54
CISCO wireless controller & AP 2 9
802.1x and RDP Issues 6 30
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question