If I understand your question correctly... Ultimately, avoid giving external access to an internal switch. It's a bad idea. There are a number of attacks that can be done, either from the outside or if a machine that resides on the VLAN were to be compromised.
Not factoring in redunancy, I would always (if given the choice) have a DMZ on a stand-alone switch. You're giving certain port access to areas on your DMZ that you probably don't give to internal devices. As new vulnerabilities are discovered (some that may be just for this type of situation - as many companies as I've seen do this, I'm surprised that attackers don't target this more actively), at least you have physically separate networks. That's my opinion. Just gut feeling and the above... At 02:25 PM 3/6/2002 -0600, Mike Shaw wrote: >There are definitely textbook reasons (secondary compromize issues, etc), >but does anyone know of a specific technical reason why using a VLAN for a >DMZ segment is a bad idea (cisco 5500 switch)? > >The VLAN would have no telnet interface living on it, and no level 3 >switching/routing going to/from it. It'd be just an isolated segment. The >only thing I could think of would be that someone could spoof the >frame-tagging or something. > >Any input is appreciated. > >-Mike > >
