[kevd10]

I am looking at setting up a DMZ network off an interface on my Cisco ASA 5510. I will have a Cisco Catalyst 3560 switch attached to that interface. I am wondering if it would be better to setup the switch and firewall with trunking and subinterfaces or use a Communication VLAN and layer3 SVI's on the switch. Does anyone have any recommendations or insight on this subject. Thanks in advance for any help.

[auglan]

You could go a few different routes.


1. Create your dmz vlan SVI on said switch and just run a layer 2 access port to the ASA
2. Create sub interfaces on ASA and run a trunk to ASA from switch. This is really only needed if you are encapsulating traffic for multiple vlans. If just one vlan then the first option is better.
3. Run a routed port from switch to ASA. This option bypasses any spanning tree convergence timers/issues. Example below

int fa1/0/1
no switchport
ip address x.x.x.x y.y.y.y

[kevd10]

Thanks for the info. At this time I think I would like to stay away from the routed port. Do you know of any pros and cons of of the trunk/Subinterface and SVI/Communication Vlan.

[auglan]

The only issue I can see with the SVI/Comm Vlan is if you have other SVI's on that switch for other subnets in your network then by default since there is a route for all networks in the routing table then intervlan routing will be permitted by default. So if you have vlan 10 for your hosts and vlan 20 for your dmz hosts, by default they will be able to communicate at layer 3. This means that your vlan 10 hosts could communicate directly with your dmz hosts effectively bypassing the firewall. This may be what you want. If its not what you want then you would need to apply filtering on the switch or do some sort of policy routing to push the vlan 10 hosts traffic through the ASA. Thats why the dmz should have a dedicated switch.

[kevd10]

I will have multiple vlans in the DMZ and for the most part they do not need to communicate. It would seem that subinterfaces is the better way to go.

[auglan]

Yeah with the subinterfaces and the trunk from the switch any traffic would be forced up the trunk to the L3 subinterfaces on the ASA. The other option would be to use a dedicated switch.

[kevd10]

When you say a dedicated switch you mean a single subnet for all hosts in the DMZ, becasue the switch that I have is dedicated to the DMZ.

[auglan]

I mean a dedicated switch for the dmz interface and its vlans. IE no other internal vlans etc connecting on that switch. This way your internal hosts are pushed through the ASA's internal interface to get to the dmz, so they are subject to your firewall's policy. I wouldnt waste a 3560 on that, if you had a 2960 that would suffice depending on the throughput you need.