Re: Multiple small switches vs. a single big one; Granularity of control

[David Lang <david.lang () digitalinsight com>]

On Sun, 29 Feb 2004, Shimon Silberschlag wrote:

> Note to moderator: I know one of these subjects has been raised in the past
> on the list, but I think technology changes make it deserving another look.
>
> When designing a new internet architecture, we are debating the use of
> either a physical switch per segment, as was traditionally recommended by
> the majority of readers on this list, and using a big switch combined with
> an on-switch FW that controls traffic down to a port granularity (e.g. the
> Cisco FWSM enclosed in the 6500 switch).
>
> What would be the current group recommendations WRT to such a setup, taking
> into account that the usual "don't trust VLANS to separate your segments" is
> mitigated by using the FWSM to enforce the separation policy?

is it really?

the FWSM provides a way to allow additional traffic to pass between VLANS,
but does it really prevent things from happening that would happen if the
FWSM wasn't in the switch?

my understanding is that functionally (except possibly for speed) this is
the same thing as assigning one port on each VLAN to a external firewall
(running the same software, FW1 IIRC)

David Lang
-- 
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards