We use one switch (C2950) for the connection from internet router to pix outside (VLAN DMZ) | pix inside to internal core switch with no real worries. I span one port to a Cisco IDS on the outside and span another on the inside to a Snort box. Pretty standard config for most of our clients, actually. Customers aren't in the mood to be buying alot of switches these days and using the VLAN's for what they were designed for isn't rocket science:-)
Chris Kirschke Lead Engineer Astreya Partners, Inc [EMAIL PROTECTED] 408-790-5900 xt 531 -----Original Message----- From: Jim MacLeod [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 11, 2002 2:31 PM To: Fei Yang Cc: [EMAIL PROTECTED] Subject: RE: Cisco IDS At 11:59 AM 4/11/2002, Fei Yang wrote: >...I didn't configure the trunk link port, which handles multiple VLANs >traffic, as the monitored port before. > >Sorry for others, this is not a security topic.... > >I am installing a Cisco IDS. The monitoring port is in the same VLAN as >the Internet access router and PIX outside interface.... For many people using a VLAN to separate inside traffic from outside traffic is a very big security topic. It sounds like the same switch connects the Internet (border) router, the Pix, and the internal network? To everyone I apologize for raising an issue that has probably caused more than one flame war here... Regards, -Jim _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
