Is it safe for external traffic (DMZ) and internal traffic (local lan) seperated by vlans to be on the same Cisco 6509 switch?

Posted on 2011-03-23
Last Modified: 2012-05-11
Is it safe for external traffic (DMZ) and internal traffic (local LAN) separated by vlans to be on the same Cisco 6509 switch?
Question by:kns_admin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 35202699
I think it depends on what you mean by safe.
If you have 2 vlans and the switch is layer 2 only (ie: wont route between vlans), and have the vlans meet at a firewall, then this should be OK.

While vlans are getting better and the devices are getting better, there are still some tricks that can sometimes allow a vlan hop.  So it is important to ensure your setup of the vlans and routing is spot on.

If the switch is a layer3 switch, DONT assign an ip address to the DMZ vlan, and avoid the inside vlan having an IP Address if you can.  Make sure these meet at a firewall.

I still prefer to physically seperate, but do use vlans for the set of DMZ zones I have (I have 3 at the moment).  where all 3 vlans are trunked to my firewall and non of the DMZ vlans on the switch have an IP Assigned to them - Layer 2 only.  Then my inside networks are on physically seperate switchs.

Safe and secure depends really one what you are trying to protect agenst.

eg: If you have a web server in the DMZ.  Your firewall allows port 80 to the web server.  At this point vlans are fine as the traffic is via the firewall to the web server only.  BUT what happens if the hacker can run code on your web server.  What can the web server get access to.  If the web server is allowed to open a connection to you inside network (eg: NT Username/Password check) then the hacker on your web server can do the same.  The VLAN is no less secure as your rules allowed it to happen.  I do my best to say that a DMZ computer can NOT open a conection to anyware, simple respond to inbound connections.  This way if a hacker gets on, they can back channel data on their inbound connection, but cant open a new connection to  the net or other networks.

LVL 18

Expert Comment

ID: 35202942
I'd wager the biggest potential problem is misconfiguration, not actual VLAN-hopping attacks, and for that reason, I'd be inclined to put the DMZ on its own switch.  But, I agree, as long as there is no VLAN interface for the DMZ VLAN, it should be OK.
LVL 79

Expert Comment

ID: 35203131
Agree with above.
I'm OK with putting DMZ and local traffic on VLAN's off the same switch, just not External Public interfaces and DMZ and Internal like I've seen some try to do.... (with and without actual vlan's -- oh, my!)
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 35206294
Thanks for the comments.

Our case is a website/app server with a public IP available to public which connects to a database server on our local LAN. The traffic between internal and external servers is controlled by our firewall.

Currently we have separate switches for our external public IP range.The idea is to get rid of separate switches and run everything on Core Switch via VLANs. The would be make management somewhat easier.

Cisco says that VLANs are as safe as physical ports but then goes on to talk about VLAN hopping and STP vunerablitites. This is where my confusion lies?  

Accepted Solution

m_walker earned 500 total points
ID: 35211154
When you think about security it is on many levels.
Are VLANs safe (yes and no).  If configured correctly then they can be.  If the switch is not 100% spot on then the layer3 level can be come a router. thus bypass your firewall.  if someone can connect to the switch (from outside) then the can re-program it to give more access to the insde of your network and some layer 3 switchs supprt nat to make it easier.  So the trick it to make sure its 100% locked down and IP Address are not setup where the are not needed and so on.  the physical switch for outside means that if its hacked, the can get any more then they had before.

If you layer 2 switch only marks inbound packets with the vlan ID id the ID is NOT set, then a remote user can pre-tag the packet with a different vlan id and could get vlan hop.  I use the word "could" as other things can affect this attach.
The basic idea here is...
You Inside network Vlan id 10
Remote user sends a packet with vlan 10 set.
An incorrectly setup switch sees the id 10 and puts that packet into vlan 10, then does normal routing.
Simple fix here is to drop the vlan tag ID (if set) and reset to the vlan attached to that port.
Then the hacker puts vlan id 10 and then another vlan id 10,  (or maybe the switch does not drop the vlan tag, it simply adds the new one.  Then when the packet exists and the vlan id is dropped, the original one still exists, so a down stream switch (my have a mis-config).

To use a single switch on the outside and vlans, make sure its locked down 100%.  Make sure the outside vlan is un-numbered (no ip address on the vlan) , Make sure the outside vlan goes is ONLY trunked to your firewall.  Make sure you vty connections can only come from an inside interface and restirct the IP as well.  
Make sure you fully understand how the swtich will deal with vlan tagging and how that could have an affect some where else in your network.
At the very least dont use any real/routeable IP addresses on the switch, eg: 10.x.x.x 172.16-172.31 at least that way most interent routes will drop the packet if sent to those IP Addresses.

I think you get the picture, you can and it can be safe, but you must get the config 100% and you must trust the vlan process that the switch does.

At the end of the day its risk management.  This means nothing is 100% safe, but is this good enough for the level of security that we need.  To be 100% safe you would not connect to the internet for starters.... but thats not an option.

good luck.

Author Closing Comment

ID: 35324482

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco VOIP Question 1 70
Network bogged down - slowing down some client PCs 10 82
pfsense upgrade from 2.2.6 to 2.3.3 28 90
Cisco Nexus 9372 port channel 3 45
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question