ASA5510 - Vlan Routing

Hi,

Please excuse me if these are silly questions and appreciate any help.

Here is the scenario:

-2x Cisco ASA 5510's (Stateful Failover - Active/Standby ) Inside,Outside,DMZ interfaces

-1x Allied Telesyn AT-8350GB

1>Does the ASA support routing between VLAN's?

2>If so, would I be able to logically seperate all hosts connected to the switch?, so for example ports 3,4 and 5 would be in VLAN 2 and VLAN

2 would be associated to the "Inside" interface on the ASA, and ports 5,6 and 7 be on VLAN 3 which would be the "DMZ" interface etc etc.

3>Would I need to get a router to do the VLAN routing if the ASA won't work in this scenario or would I need to purchase another 2x switches for each segment off the ASA? or....?

Any help on this will be highly appreciated.

Thanks,

RobO

Reply to
RobO
Loading thread data ...

Yes.

Yes, if AT-8350GB supports 802.1Q VLANs.

The ASA should be all you need.

Note: if you are in a high security area, then it is not recommended to have multiple VLANs on the same switch, because historically on switches there have been attacks that allowed packets to cross between VLANs. As far as I have heard, [good quality] modern switches do not permit such attacks, but there is always the concern that "if it was done once before, someone might find a way to do it again, perhaps due to a bug in the code."

The attacks I am referring to required local switch access, but on the other hand if someone compromised a DMZ host then they could use that to launch the necessary packets.

It would not surprise me if some of the consumer switches permitted VLAN attacks; I would -expect- that any recent Allied Telesyn would be okay against the known attacks. It thus becomes a standard risk/cost decision, balancing the probability of "just maybe someday an attack might be found" times the probable cost to you if such an attack were to succeed, and compare that to the cost of going with multiple switches.

I myself would feel comfortable running multiple VLANs on the same switch in my work environment, but that's because there would be easier ways to attack our network, and we don't have any finance systems in-house.

Reply to
Walter Roberson

Walter,

Thanks for the valuable advice, much appreciated.

I was a bit concerned with regards to security but if you comfortable with it then so shall I.

Many thanks,

Rob

Reply to
RobO

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.