>
>Let me lay out the basic topology of a network first:
>
>A 6500 has several VLANS configured on it. Among these are an external
>internet vlan, a dmz, and several internal vlans. The internal vlans are
>routed by an MSFC in the 6500. Routing between the internal, dmz, and
>external are handled by a firewall external to the 6500.
>
>Are there any security issues with having all of these VLANS in the same
>box? Someone in our organization is concerned that someone can hack the
>switch just because the connection from the internet is plugged into it.
>The switch's management address is on one of the internal vlans, and an
>access list is on the telnet access that restricts access from only the
>internal vlans.
Cisco switches have been known to 'bleed' traffic between VLANs, esp. when
carried over older switches through ISL.
I don't know of any issues with the 6500, but that doesn't mean that they
don't exist.
I would not recommend this solution for exactly the reason that 'someone' is
concerned about. A DMZ, Outside and Inside should be kept physically
seperate, on one piece of wire each. What would happen is some 'idiot'
plugged a connection between the Outside and the Inside VLAN, very uncool.
>From outside to inside should be a connection from an exterior router to the
firewall - 100baseTX x-over cable.
DMZ - A hub or switch [1] connecting the port on the FW to DMZ hosts
Inside - Connect to switch for users to access.
That'll be $1,000 please. ;^)
Rob./
[1] Depending on network saturation.
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3755&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
