Re: Catalyst 3750G / Network design question
- From: "stephen" <stephen_hope@xxxxxxxxxxxx>
- Date: Wed, 16 Aug 2006 15:03:45 GMT
"BernieM" <c@xxxxxxxxx> wrote in message
news:GGlEg.12595$rP1.6313@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
<Bod43@xxxxxxxxxxxxx> wrote in messageto
news:1155642888.919727.141140@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Merv wrote:
ensure they implement your design with two separate switches
The proposed installation is not best practise.
Not that I usually object to anyone spending
money on network equipment, however the 3750
seems overkill for the application described -
that is - two static VLANs.
Consider a 2960G (all GBE) for the inside
and a 2950 (if they still do them) for the outside,
unless of course you have a GBE internet connection.
I would guess that you will still have change.
lly
If you need Routing at wire rate then of course
the 3750 is an excellent choice. Maybe its PoE
that you need.
That's a good point bod43. Even with a base IOS in a 3750 you still have
stub routing and other L3 features not needed where a basic L2 switch will
do the job. Gbit is definitely questionably. Even a 2960 10/100 sounds
sufficient. getting back to the security .. it's disturbing that people
that should know better are actually recommending that sort of topology.
While I'm a 'network engineer' by profession and my job doesn't involve
direct responsibility for 'security' I've been around enough (15+ years)
know that nobody that wants to be taken seriously recommends vlanseparation
as a layer of security. It's use it strictly limited to separation ofvlans
broadcast domains. Sure you apply at least acl type restrictions when you
need to have 'some form' of restrictions internally but never rely on
for 'security'.
if you use the Cat 6k firewall switch module, then all segregation is done
via VLAN.....
A lot of this came out of some tests where an engineer can build a packet to
jump from 1 VLAN to another.
But
1. you need kit that doesnt stop this happening - at least the higher end
Cisco switches (ie 3560 / 3750 / Cat 6k) are proof against this attack.
2. the attacker needs layer 2 access to the network since they need to
manipulate MAC headers and vlan tags - which isnt normally directly
accessible across the Internet.
The assumption here is that you dont have routing enabled between segregated
vlans.
A much more sensible reason to avoid security barriers using vlans is "ease
of misconfiguration" - multiple secure VLANs on a switch with internal
routing support is a recipe for future problems from finger trouble....
FWIW we use both options at work - some "heavy" security is done by
physically separating networks and a firewall link between them.
But when you need lots of security zones and they are at comparable security
levels, then using VLAN segregation is appropriate and much easier than
managing dozens of different stackables (esp as Cisco dont make small
switches with dual power supplies) - YMMV of course.
--
BernieM
BernieM
Regards
stephen_hope@xxxxxxxxxxxx - replace xyz with ntl
.
- References:
- Catalyst 3750G / Network design question
- From: rozment
- Re: Catalyst 3750G / Network design question
- From: BernieM
- Re: Catalyst 3750G / Network design question
- From: Merv
- Re: Catalyst 3750G / Network design question
- From: Bod43
- Re: Catalyst 3750G / Network design question
- From: BernieM
- Catalyst 3750G / Network design question
- Prev by Date: Re: Remote Access
- Next by Date: Problem with PIX EzVPN Site-to-Site
- Previous by thread: Re: Catalyst 3750G / Network design question
- Next by thread: from mary
- Index(es):
Relevant Pages
|
|
