Using promiscuous mode on a catalyst vs. muliple dmzs on a firewall

Discussion in 'Cisco' started by toureg69@yahoo.com, Dec 9, 2006.

  1. Guest

    All,

    Thanks for the help in advance.

    I am thinking about using the catalyst switch in its promiscuous mode
    so I can segregate network connections for different servers. Others
    have expressed using DMZs on the firewalls for this.

    What would be the major advantages and disadvantages of using either
    method?

    If I use the multiple DMZ method, then I would have to get another
    switch where I have my DMZ VLANs created and somehow connect this
    switch to the internal network. But how would each DMZ know how to
    basically "converge" back to the internal network. Would it be on the
    firewall where this config would be placed? Would the fw have a lan
    connections and all DMZs it regulates filters to the lan connection?

    If I use a catalyst switch in promiscuous mode, I can essentially
    segregate each network port as its own "DMZ" since each port is not
    suppose to know one another.


    Any one have any ideas as to which method is preferred.

    Thanks!!
    , Dec 9, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:

    >I am thinking about using the catalyst switch in its promiscuous mode
    >so I can segregate network connections for different servers. Others
    >have expressed using DMZs on the firewalls for this.


    I don't understand what you mean by "promiscuous mode" on
    a switch??

    I seem to be having trouble understanding what it is that you want
    to do? A few clues in your phrasing hint that possibly your first
    language is not English, but I see that your IP is in the USA, so
    perhaps I'm just not sufficiently awake as yet.
    Walter Roberson, Dec 9, 2006
    #2
    1. Advertising

  3. Guest

    Yes this is what I am referring to. Using PVLANs and assigning a
    "promiscuous port" to a PVLAN.


    So my question(s) are:

    1. Using PVLANs as opposed to DMZs, which is the way to go?

    2. There will be several external connections that is terminating into
    our network. What I am trying to do is funnel this external traffic
    into our production network.

    3. If the DMZ method is the way to go, then I would assume on the
    firewall is where I would funnel all the segregated traffic into
    internal network.

    Any help would be great!


    Thanks!



    Drake wrote:
    > <> wrote in message
    > news:...
    > > All,

    >
    > <Snip>
    >
    > > If I use a catalyst switch in promiscuous mode, I can essentially
    > > segregate each network port as its own "DMZ" since each port is not
    > > suppose to know one another.
    > >

    > Are you talking about Private VLANs? If so, promiscuous mode ports
    > are the ones that can talk to all ports in the PVLAN. Isolated ports are
    > segregated from other ports except for promiscous mode ports.
    >
    >
    >
    >
    >
    > --
    > Posted via a free Usenet account from http://www.teranews.com
    , Dec 9, 2006
    #3
  4. Drake Guest

    <> wrote in message
    news:...
    > All,


    <Snip>

    > If I use a catalyst switch in promiscuous mode, I can essentially
    > segregate each network port as its own "DMZ" since each port is not
    > suppose to know one another.
    >

    Are you talking about Private VLANs? If so, promiscuous mode ports
    are the ones that can talk to all ports in the PVLAN. Isolated ports are
    segregated from other ports except for promiscous mode ports.





    --
    Posted via a free Usenet account from http://www.teranews.com
    Drake, Dec 9, 2006
    #4
  5. Adul Salifa Guest

    DMZ should be separated by Physical and should have ACL for control
    traffic to server in DMZ. Control traffic is first thing to consider.

    What do you think about separated physical? Advantage and Disadvantage?

    wrote:
    > Yes this is what I am referring to. Using PVLANs and assigning a
    > "promiscuous port" to a PVLAN.
    >
    >
    > So my question(s) are:
    >
    > 1. Using PVLANs as opposed to DMZs, which is the way to go?
    >
    > 2. There will be several external connections that is terminating into
    > our network. What I am trying to do is funnel this external traffic
    > into our production network.
    >
    > 3. If the DMZ method is the way to go, then I would assume on the
    > firewall is where I would funnel all the segregated traffic into
    > internal network.
    >
    > Any help would be great!
    >
    >
    > Thanks!
    >
    >
    >
    > Drake wrote:
    > > <> wrote in message
    > > news:...
    > > > All,

    > >
    > > <Snip>
    > >
    > > > If I use a catalyst switch in promiscuous mode, I can essentially
    > > > segregate each network port as its own "DMZ" since each port is not
    > > > suppose to know one another.
    > > >

    > > Are you talking about Private VLANs? If so, promiscuous mode ports
    > > are the ones that can talk to all ports in the PVLAN. Isolated ports are
    > > segregated from other ports except for promiscous mode ports.
    > >
    > >
    > >
    > >
    > >
    > > --
    > > Posted via a free Usenet account from http://www.teranews.com
    Adul Salifa, Dec 10, 2006
    #5
  6. Guest

    I would say it's an advantage to control traffic using a DMZ. It seems
    it would be more scalable that way, than having to worry about
    regulating traffic on the switch side.

    On the firewall itself, for example, let's say I had (5) DMZs
    connecting to five different external networks.

    DMZ-1 - 10.0.1.0
    DMZ-2 - 10.0.2.0
    DMZ-3 - 10.0.3.0
    DMZ-4 - 10.0.4.0
    DMZ-5 - 10.0.5.0

    I have a LAN interface IP address of 150.10.1.5.

    How would I route all (5) DMZ networks into the LAN? I know on a
    router it would be something like:

    ip route 10.0.1.0 255.255.255.240 150.10.1.5 and so on....

    Would the same method hold true on a firewall?

    Thanks for your help!





    Adul Salifa wrote:
    > DMZ should be separated by Physical and should have ACL for control
    > traffic to server in DMZ. Control traffic is first thing to consider.
    >
    > What do you think about separated physical? Advantage and Disadvantage?
    >
    > wrote:
    > > Yes this is what I am referring to. Using PVLANs and assigning a
    > > "promiscuous port" to a PVLAN.
    > >
    > >
    > > So my question(s) are:
    > >
    > > 1. Using PVLANs as opposed to DMZs, which is the way to go?
    > >
    > > 2. There will be several external connections that is terminating into
    > > our network. What I am trying to do is funnel this external traffic
    > > into our production network.
    > >
    > > 3. If the DMZ method is the way to go, then I would assume on the
    > > firewall is where I would funnel all the segregated traffic into
    > > internal network.
    > >
    > > Any help would be great!
    > >
    > >
    > > Thanks!
    > >
    > >
    > >
    > > Drake wrote:
    > > > <> wrote in message
    > > > news:...
    > > > > All,
    > > >
    > > > <Snip>
    > > >
    > > > > If I use a catalyst switch in promiscuous mode, I can essentially
    > > > > segregate each network port as its own "DMZ" since each port is not
    > > > > suppose to know one another.
    > > > >
    > > > Are you talking about Private VLANs? If so, promiscuous mode ports
    > > > are the ones that can talk to all ports in the PVLAN. Isolated ports are
    > > > segregated from other ports except for promiscous mode ports.
    > > >
    > > >
    > > >
    > > >
    > > >
    > > > --
    > > > Posted via a free Usenet account from http://www.teranews.com
    , Dec 11, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scotchy
    Replies:
    2
    Views:
    502
    Scotchy
    Oct 7, 2004
  2. kojjy
    Replies:
    2
    Views:
    592
  3. Alasdair Baxter

    Promiscuous Mode

    Alasdair Baxter, Jan 17, 2005, in forum: Computer Support
    Replies:
    5
    Views:
    22,756
    David Qunt
    Jan 17, 2005
  4. Hoffa
    Replies:
    0
    Views:
    473
    Hoffa
    Sep 20, 2007
  5. Joe J.

    Outlook and muliple email accounts?

    Joe J., Jan 17, 2010, in forum: Computer Information
    Replies:
    0
    Views:
    553
    Joe J.
    Jan 17, 2010
Loading...

Share This Page