Using promiscuous mode on a catalyst vs. muliple dmzs on a firewall

Discussion in 'Cisco' started by toureg69, Dec 9, 2006.

  1. toureg69

    toureg69 Guest

    All,

    Thanks for the help in advance.

    I am thinking about using the catalyst switch in its promiscuous mode
    so I can segregate network connections for different servers. Others
    have expressed using DMZs on the firewalls for this.

    What would be the major advantages and disadvantages of using either
    method?

    If I use the multiple DMZ method, then I would have to get another
    switch where I have my DMZ VLANs created and somehow connect this
    switch to the internal network. But how would each DMZ know how to
    basically "converge" back to the internal network. Would it be on the
    firewall where this config would be placed? Would the fw have a lan
    connections and all DMZs it regulates filters to the lan connection?

    If I use a catalyst switch in promiscuous mode, I can essentially
    segregate each network port as its own "DMZ" since each port is not
    suppose to know one another.


    Any one have any ideas as to which method is preferred.

    Thanks!!
     
    toureg69, Dec 9, 2006
    #1
    1. Advertisements

  2. I don't understand what you mean by "promiscuous mode" on
    a switch??

    I seem to be having trouble understanding what it is that you want
    to do? A few clues in your phrasing hint that possibly your first
    language is not English, but I see that your IP is in the USA, so
    perhaps I'm just not sufficiently awake as yet.
     
    Walter Roberson, Dec 9, 2006
    #2
    1. Advertisements

  3. toureg69

    toureg69 Guest

    Yes this is what I am referring to. Using PVLANs and assigning a
    "promiscuous port" to a PVLAN.


    So my question(s) are:

    1. Using PVLANs as opposed to DMZs, which is the way to go?

    2. There will be several external connections that is terminating into
    our network. What I am trying to do is funnel this external traffic
    into our production network.

    3. If the DMZ method is the way to go, then I would assume on the
    firewall is where I would funnel all the segregated traffic into
    internal network.

    Any help would be great!


    Thanks!
     
    toureg69, Dec 9, 2006
    #3
  4. toureg69

    Drake Guest

    Are you talking about Private VLANs? If so, promiscuous mode ports
    are the ones that can talk to all ports in the PVLAN. Isolated ports are
    segregated from other ports except for promiscous mode ports.
     
    Drake, Dec 9, 2006
    #4
  5. toureg69

    Adul Salifa Guest

    DMZ should be separated by Physical and should have ACL for control
    traffic to server in DMZ. Control traffic is first thing to consider.

    What do you think about separated physical? Advantage and Disadvantage?
     
    Adul Salifa, Dec 10, 2006
    #5
  6. toureg69

    toureg69 Guest

    I would say it's an advantage to control traffic using a DMZ. It seems
    it would be more scalable that way, than having to worry about
    regulating traffic on the switch side.

    On the firewall itself, for example, let's say I had (5) DMZs
    connecting to five different external networks.

    DMZ-1 - 10.0.1.0
    DMZ-2 - 10.0.2.0
    DMZ-3 - 10.0.3.0
    DMZ-4 - 10.0.4.0
    DMZ-5 - 10.0.5.0

    I have a LAN interface IP address of 150.10.1.5.

    How would I route all (5) DMZ networks into the LAN? I know on a
    router it would be something like:

    ip route 10.0.1.0 255.255.255.240 150.10.1.5 and so on....

    Would the same method hold true on a firewall?

    Thanks for your help!
     
    toureg69, Dec 11, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.