1. Home
  2. Cisco Systems
  3. Using promiscuous mode on a catalyst vs. muliple dmzs on a firewall

Using promiscuous mode on a catalyst vs. muliple dmzs on a firewall

All,

Thanks for the help in advance.

I am thinking about using the catalyst switch in its promiscuous mode so I can segregate network connections for different servers. Others have expressed using DMZs on the firewalls for this.

What would be the major advantages and disadvantages of using either method?

If I use the multiple DMZ method, then I would have to get another switch where I have my DMZ VLANs created and somehow connect this switch to the internal network. But how would each DMZ know how to basically "converge" back to the internal network. Would it be on the firewall where this config would be placed? Would the fw have a lan connections and all DMZs it regulates filters to the lan connection?

If I use a catalyst switch in promiscuous mode, I can essentially segregate each network port as its own "DMZ" since each port is not suppose to know one another.

Any one have any ideas as to which method is preferred.

Thanks!!

Reply to
toureg69
Loading thread data ...

I don't understand what you mean by "promiscuous mode" on a switch??

I seem to be having trouble understanding what it is that you want to do? A few clues in your phrasing hint that possibly your first language is not English, but I see that your IP is in the USA, so perhaps I'm just not sufficiently awake as yet.

Reply to
Walter Roberson

Yes this is what I am referring to. Using PVLANs and assigning a "promiscuous port" to a PVLAN.

So my question(s) are:

  1. Using PVLANs as opposed to DMZs, which is the way to go?

  1. There will be several external connections that is terminating into our network. What I am trying to do is funnel this external traffic into our production network.

  2. If the DMZ method is the way to go, then I would assume on the firewall is where I would funnel all the segregated traffic into internal network.

Any help would be great!

Thanks!

Drake wrote:

Reply to
toureg69

Are you talking about Private VLANs? If so, promiscuous mode ports are the ones that can talk to all ports in the PVLAN. Isolated ports are segregated from other ports except for promiscous mode ports.

Reply to
Drake

DMZ should be separated by Physical and should have ACL for control traffic to server in DMZ. Control traffic is first thing to consider.

What do you th> Yes this is what I am referring to. Using PVLANs and assigning a

Reply to
Adul Salifa

I would say it's an advantage to control traffic using a DMZ. It seems it would be more scalable that way, than having to worry about regulating traffic on the switch side.

On the firewall itself, for example, let's say I had (5) DMZs connecting to five different external networks.

DMZ-1 - 10.0.1.0 DMZ-2 - 10.0.2.0 DMZ-3 - 10.0.3.0 DMZ-4 - 10.0.4.0 DMZ-5 - 10.0.5.0

I have a LAN interface IP address of 150.10.1.5.

How would I route all (5) DMZ networks into the LAN? I know on a router it would be something like:

ip route 10.0.1.0 255.255.255.240 150.10.1.5 and so on....

Would the same method hold true on a firewall?

Thanks for your help!

Adul Salifa wrote:

Reply to
toureg69

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.