Catalyst 3750G / Network design question

Discussion in 'Cisco' started by rozment, Aug 15, 2006.

  1. rozment

    rozment Guest

    Hello and thanks,

    I have a vendor that is setting up our network and I am not sure if
    something they are doing is a good idea. I however am not Cisco
    certified so my voice carries less weight. I am looking for some
    opinions that I can pass along.

    They are setting up a 3750 with two VLANS, VLAN 100 and VLAN 200. VLAN
    100 will be inbetween the ISP and our firewall. VLAN 200 will be where
    all of our internal servers reside. So
    Internet>>>3750 Vlan 100>>>>firewall>>>>3750 Vlan 200(core switch with
    all servers)

    This design seems poor to me, because we are having a core switch on
    the net not protected by fwall. It seems like a DoS attack could hammer
    our core switch, since it is not protected by the firewall. Is this
    correct? Also seems like it would be easier to hack the switch which
    will give you to access to internal network. Is this correct?

    Seems like better solution is
    Internet>>>Switch1>>>firewall>>>Switch2(core switch).

    Looking for explanation that I can take to meeting to have them make a
    change if necessary?

    Thanks again,
    rozment, Aug 15, 2006
    1. Advertisements

  2. rozment

    BernieM Guest

    You're very right for being concerned. Their design goes against best
    practice and is simply dangerous. VLAN separation does not a firewall make
    but in their topology it has become one. Their design shows they have less
    than a basic understanding of security.

    VLAN separation isn't even a minimum level of security for 'trusted'
    internal LANs let alone the Internet.

    Your design is of course the better solution.

    BernieM, Aug 15, 2006
    1. Advertisements

  3. rozment

    Merv Guest

    ensure they implement your design with two separate switches
    Merv, Aug 15, 2006
  4. rozment

    Bod43 Guest

    The proposed installation is not best practise.

    Not that I usually object to anyone spending
    money on network equipment, however the 3750
    seems overkill for the application described -
    that is - two static VLANs.

    Consider a 2960G (all GBE) for the inside
    and a 2950 (if they still do them) for the outside,
    unless of course you have a GBE internet connection.

    I would guess that you will still have change.

    If you need Routing at wire rate then of course
    the 3750 is an excellent choice. Maybe its PoE
    that you need.
    Bod43, Aug 15, 2006
  5. rozment

    BernieM Guest

    That's a good point bod43. Even with a base IOS in a 3750 you still have
    stub routing and other L3 features not needed where a basic L2 switch will
    do the job. Gbit is definitely questionably. Even a 2960 10/100 sounds
    sufficient. getting back to the security .. it's disturbing that people
    that should know better are actually recommending that sort of topology.

    While I'm a 'network engineer' by profession and my job doesn't involve
    direct responsibility for 'security' I've been around enough (15+ years) to
    know that nobody that wants to be taken seriously recommends vlan separation
    as a layer of security. It's use it strictly limited to separation of
    broadcast domains. Sure you apply at least acl type restrictions when you
    need to have 'some form' of restrictions internally but never rely on vlans
    for 'security'.


    BernieM, Aug 15, 2006
  6. rozment

    rozment Guest

    Thanks all for your replies. Found an article on recommending
    not to use Vlans as a mechanism for enforcing security. Unfortunately
    was written in 2000.

    Well thanks again for your messages,
    rozment, Aug 15, 2006
  7. rozment

    stephen Guest

    if you use the Cat 6k firewall switch module, then all segregation is done
    via VLAN.....

    A lot of this came out of some tests where an engineer can build a packet to
    jump from 1 VLAN to another.

    1. you need kit that doesnt stop this happening - at least the higher end
    Cisco switches (ie 3560 / 3750 / Cat 6k) are proof against this attack.
    2. the attacker needs layer 2 access to the network since they need to
    manipulate MAC headers and vlan tags - which isnt normally directly
    accessible across the Internet.

    The assumption here is that you dont have routing enabled between segregated

    A much more sensible reason to avoid security barriers using vlans is "ease
    of misconfiguration" - multiple secure VLANs on a switch with internal
    routing support is a recipe for future problems from finger trouble....

    FWIW we use both options at work - some "heavy" security is done by
    physically separating networks and a firewall link between them.

    But when you need lots of security zones and they are at comparable security
    levels, then using VLAN segregation is appropriate and much easier than
    managing dozens of different stackables (esp as Cisco dont make small
    switches with dual power supplies) - YMMV of course.
    stephen, Aug 16, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.