>There are definitely textbook reasons (secondary compromize issues, etc), >but does anyone know of a specific technical reason why using a VLAN for a >DMZ segment is a bad idea (cisco 5500 switch)?
>The VLAN would have no telnet interface living on it, and no level 3 >switching/routing going to/from it. It'd be just an isolated segment. The >only thing I could think of would be that someone could spoof the >frame-tagging or something. I do wonder why you want to use a Catalyst 5500 in the DMZ. Why not stick a Cisco 2600 router off of a Catalyst 2924 switch and then establish a VLAN between the 2924 and 5500 ? The 2600 and 2924 could be in the dmz and you can stick the 5500 behind a firewall. Whether or not the VLAN has telnet, the Catalyst and the RSM on it do. So one assumes you are going to disable telnet to the entire 5500. Is this correct ? Console access only ? ~S~ Disclaimer: My own 2 cents ?
