Re: Using Nexus 7k ports for ASA DMZ Vlan ports?

Jason,

If you have a DMZ on a totally isolated VDC it is basically a different
switch (just don't make the DMZ VDC the master VDC). At that point the only
way you would be able to jump to a different VDC is by putting a cross over
jumper on 2 ports between different VDC's or a hole in your ASA firewall. I
really do not see how it is any different than what Service Providers do on
their MPLS networks. Service providers have many different customers data
on the same physical hardware only logically isolated.
Now, I personally would like separate hardware for a DMZ, if only for the
reason to point to the switch and say it is only DMZ. But in some design it
is not realistic b/c of costs or the small size of a DMZ.
One for the good things about using the 7k for the DMZ is that you can save
floor space, power, cooling on your Data Center floor with less hardware.
And the ability to do non service impacting upgrades is a great plus when
the business requires a 99.999% uptime model.
But if this were a bank I personally would not worry about loosing any money
b/c of a DMZ design, I would be more worried about the crooked bankers
loosing more money in crazy banking schemes. (Sorry had to poke fun at the
banking system LOL)
But if this were a bank I am sure they have enough money to have a 7K
totally dedicated to a DMZ. I guess part of my point is, is that costs some
times dictates the design. I know as tech people we don't like to admit
that, but it is a realistic truth, and one I have had to deal with to many
times.
But that is all just my $.02

Chris

On Thu, Sep 9, 2010 at 9:53 PM, Jason Aarons (US) <
jason.aarons_at_us.didata.com> wrote:

> If this was a bank with billions of dollars potentially risk would you
> trust putting your DMZ VLAN on a Nexus VDC vs Physical Isolation? I guess
> half of this is about best practice regardless of make/model/manufacturer.
>
>
>
> *From:* Christopher Copley [mailto:copley.chris_at_gmail.com]
> *Sent:* Thursday, September 09, 2010 9:33 PM
> *To:* Jason Aarons (US)
> *Cc:* ccielab_at_groupstudy.com
> *Subject:* Re: Using Nexus 7k ports for ASA DMZ Vlan ports?
>
>
>
> How about using a different VDC for the DMZ?
>
> Chris
>
> On Thu, Sep 9, 2010 at 9:19 PM, Jason Aarons (US) <
> jason.aarons_at_us.didata.com> wrote:
>
> A customer want's to put a Layer2 DMZ vlan on his Nexus 7k, and is
> wondering
> if Private VLAN/VDCs will keep that vlan from his inside network.
> Basically
> he needs some switchports for his DMZ and doesn't want to put them on a
> 3750.
> From a security perspective I would never advise this to mitigate risk by
> using Physical Isolation, but I'm not clear if the Nexus Private VLAN/VDC
> would mitigate the risk.
>
> http://en.wikipedia.org/wiki/VLAN_hopping
> -----------------------------------------
> Disclaimer:
>
> This e-mail
> communication and any attachments may contain
> confidential and privileged
> information and is for use by the
> designated addressee(s) named above only.
> If you are not the
> intended addressee, you are hereby notified that you have
> received
> this communication in error and that any use or reproduction of
> this
> email or its contents is strictly prohibited and may be
> unlawful. If you have
> received this communication in error, please
> notify us immediately by replying
> to this message and deleting it
> from your computer. Thank you.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> ------------------------------
>
> * Disclaimer: This e-mail communication and any attachments may contain
> confidential and privileged information and is for use by the designated
> addressee(s) named above only. If you are not the intended addressee, you
> are hereby notified that you have received this communication in error and
> that any use or reproduction of this email or its contents is strictly
> prohibited and may be unlawful. If you have received this communication in
> error, please notify us immediately by replying to this message and deleting
> it from your computer. Thank you. *

Blogs and organic groups at http://www.ccie.net
Received on Thu Sep 09 2010 - 22:17:52 ART