Re: Using Nexus 7k ports for ASA DMZ Vlan ports?

Is there any way to access other VDCs in a Nexus without layer 3
connectivity? No.
If I was a bank with billions of dollars of potential risk, as a bank
security team do I trust it? No.
Having worked for a Fortune 100 bank, they would have put a Nexus in
the DMZ as well. Actually, probably 4 of them.
But certainly running the DMZ inside a separate L2 VDC is safe.

On Thu, Sep 9, 2010 at 8:53 PM, Jason Aarons (US)
<jason.aarons_at_us.didata.com> wrote:
> If this was a bank with billions of dollars potentially risk would you trust
> putting your DMZ VLAN on a Nexus VDC vs Physical Isolation? I guess half of
> this is about best practice regardless of make/model/manufacturer.
>
> From:
> Christopher Copley [mailto:copley.chris_at_gmail.com]
> Sent: Thursday, September
> 09, 2010 9:33 PM
> To: Jason Aarons (US)
> Cc: ccielab_at_groupstudy.com
> Subject:
> Re: Using Nexus 7k ports for ASA DMZ Vlan ports?
>
> How about using a
> different VDC for the DMZ?
>
> Chris
> On Thu, Sep 9, 2010 at 9:19 PM, Jason
> Aarons (US) <jason.aarons_at_us.didata.com<mailto:jason.aarons_at_us.didata.com>>
> wrote:
> A customer want's to put a Layer2 DMZ vlan on his Nexus 7k, and is
> wondering
> if Private VLAN/VDCs will keep that vlan from his inside network.
> Basically
> he needs some switchports for his DMZ and doesn't want to put them
> on a 3750.
> From a security perspective I would never advise this to mitigate
> risk by
> using Physical Isolation, but I'm not clear if the Nexus Private
> VLAN/VDC
> would mitigate the risk.
> http://en.wikipedia.org/wiki/VLAN_hopping
> -----------------------------------------
> Disclaimer:
>
> This e-mail
> communication and any attachments may contain
> confidential and privileged
> information and is for use by the
> designated addressee(s) named above only.
> If you are not the
> intended addressee, you are hereby notified that you have
> received
> this communication in error and that any use or reproduction of
> this
> email or its contents is strictly prohibited and may be
> unlawful. If
> you have
> received this communication in error, please
> notify us immediately
> by replying
> to this message and deleting it
> from your computer. Thank you.
> Blogs and organic groups at http://www.ccie.net
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> -----------------------------------------
> Disclaimer:
>
> This e-mail
> communication and any attachments may contain
> confidential and privileged
> information and is for use by the
> designated addressee(s) named above only.
> If you are not the
> intended addressee, you are hereby notified that you have
> received
> this communication in error and that any use or reproduction of
> this
> email or its contents is strictly prohibited and may be
> unlawful. If you have
> received this communication in error, please
> notify us immediately by replying
> to this message and deleting it
> from your computer. Thank you.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Sep 09 2010 - 21:26:29 ART