Firewall Wizards mailing list archives

Multiple small switches vs. a single big one; Granularity of control

From: "Shimon Silberschlag" <shimons () bll co il>
Date: Sun, 29 Feb 2004 16:48:25 +0200

Note to moderator: I know one of these subjects has been raised in the past
on the list, but I think technology changes make it deserving another look.

When designing a new internet architecture, we are debating the use of
either a physical switch per segment, as was traditionally recommended by
the majority of readers on this list, and using a big switch combined with
an on-switch FW that controls traffic down to a port granularity (e.g. the
Cisco FWSM enclosed in the 6500 switch).

What would be the current group recommendations WRT to such a setup, taking
into account that the usual "don't trust VLANS to separate your segments" is
mitigated by using the FWSM to enforce the separation policy?

On a related issue, do the granularity of control usually stops at the
segment level, meaning do you allow unchecked traffic between the servers on
a segment, or should we opt for server level control, managing both inter-
and intra segment communications?

TIA,
Shimon Silberschlag

+972-3-9351572
+972-51-207130

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Strange setup franco segna (Feb 26)
- Re: Strange setup Mark Tinberg (Feb 26)
- RE: Strange setup Robert L. Wanamaker (Feb 26)
- <Possible follow-ups>
- RE: Strange setup Melson, Paul (Feb 26)
  - RE: Strange setup Bill Royds (Feb 27)
- RE: Strange setup mcary (Feb 27)
  - RE: Strange setup Daniel Linder (Feb 27)
- RE: Strange setup Steven A. Fletcher (Feb 27)
  - Multiple small switches vs. a single big one; Granularity of control Shimon Silberschlag (Feb 29)
- RE: Strange setup Sloane, David (Feb 27)