Is it safe for external traffic (DMZ) and internal traffic (local lan) seperated by vlans to be on the same Cisco 6509 switch?

Posted on 2011-03-23
Last Modified: 2012-05-11
Is it safe for external traffic (DMZ) and internal traffic (local LAN) separated by vlans to be on the same Cisco 6509 switch?
Question by:kns_admin

Expert Comment

ID: 35202699
I think it depends on what you mean by safe.
If you have 2 vlans and the switch is layer 2 only (ie: wont route between vlans), and have the vlans meet at a firewall, then this should be OK.

While vlans are getting better and the devices are getting better, there are still some tricks that can sometimes allow a vlan hop.  So it is important to ensure your setup of the vlans and routing is spot on.

If the switch is a layer3 switch, DONT assign an ip address to the DMZ vlan, and avoid the inside vlan having an IP Address if you can.  Make sure these meet at a firewall.

I still prefer to physically seperate, but do use vlans for the set of DMZ zones I have (I have 3 at the moment).  where all 3 vlans are trunked to my firewall and non of the DMZ vlans on the switch have an IP Assigned to them - Layer 2 only.  Then my inside networks are on physically seperate switchs.

Safe and secure depends really one what you are trying to protect agenst.

eg: If you have a web server in the DMZ.  Your firewall allows port 80 to the web server.  At this point vlans are fine as the traffic is via the firewall to the web server only.  BUT what happens if the hacker can run code on your web server.  What can the web server get access to.  If the web server is allowed to open a connection to you inside network (eg: NT Username/Password check) then the hacker on your web server can do the same.  The VLAN is no less secure as your rules allowed it to happen.  I do my best to say that a DMZ computer can NOT open a conection to anyware, simple respond to inbound connections.  This way if a hacker gets on, they can back channel data on their inbound connection, but cant open a new connection to  the net or other networks.

LVL 18

Expert Comment

ID: 35202942
I'd wager the biggest potential problem is misconfiguration, not actual VLAN-hopping attacks, and for that reason, I'd be inclined to put the DMZ on its own switch.  But, I agree, as long as there is no VLAN interface for the DMZ VLAN, it should be OK.
LVL 79

Expert Comment

ID: 35203131
Agree with above.
I'm OK with putting DMZ and local traffic on VLAN's off the same switch, just not External Public interfaces and DMZ and Internal like I've seen some try to do.... (with and without actual vlan's -- oh, my!)
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.


Author Comment

ID: 35206294
Thanks for the comments.

Our case is a website/app server with a public IP available to public which connects to a database server on our local LAN. The traffic between internal and external servers is controlled by our firewall.

Currently we have separate switches for our external public IP range.The idea is to get rid of separate switches and run everything on Core Switch via VLANs. The would be make management somewhat easier.

Cisco says that VLANs are as safe as physical ports but then goes on to talk about VLAN hopping and STP vunerablitites. This is where my confusion lies?  

Accepted Solution

m_walker earned 500 total points
ID: 35211154
When you think about security it is on many levels.
Are VLANs safe (yes and no).  If configured correctly then they can be.  If the switch is not 100% spot on then the layer3 level can be come a router. thus bypass your firewall.  if someone can connect to the switch (from outside) then the can re-program it to give more access to the insde of your network and some layer 3 switchs supprt nat to make it easier.  So the trick it to make sure its 100% locked down and IP Address are not setup where the are not needed and so on.  the physical switch for outside means that if its hacked, the can get any more then they had before.

If you layer 2 switch only marks inbound packets with the vlan ID id the ID is NOT set, then a remote user can pre-tag the packet with a different vlan id and could get vlan hop.  I use the word "could" as other things can affect this attach.
The basic idea here is...
You Inside network Vlan id 10
Remote user sends a packet with vlan 10 set.
An incorrectly setup switch sees the id 10 and puts that packet into vlan 10, then does normal routing.
Simple fix here is to drop the vlan tag ID (if set) and reset to the vlan attached to that port.
Then the hacker puts vlan id 10 and then another vlan id 10,  (or maybe the switch does not drop the vlan tag, it simply adds the new one.  Then when the packet exists and the vlan id is dropped, the original one still exists, so a down stream switch (my have a mis-config).

To use a single switch on the outside and vlans, make sure its locked down 100%.  Make sure the outside vlan is un-numbered (no ip address on the vlan) , Make sure the outside vlan goes is ONLY trunked to your firewall.  Make sure you vty connections can only come from an inside interface and restirct the IP as well.  
Make sure you fully understand how the swtich will deal with vlan tagging and how that could have an affect some where else in your network.
At the very least dont use any real/routeable IP addresses on the switch, eg: 10.x.x.x 172.16-172.31 at least that way most interent routes will drop the packet if sent to those IP Addresses.

I think you get the picture, you can and it can be safe, but you must get the config 100% and you must trust the vlan process that the switch does.

At the end of the day its risk management.  This means nothing is 100% safe, but is this good enough for the level of security that we need.  To be 100% safe you would not connect to the internet for starters.... but thats not an option.

good luck.

Author Closing Comment

ID: 35324482

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now