Firewall Wizards mailing list archives
Re: Multiple small switches vs. a single big one; Granularity of control
From: "Dale W. Carder" <dwcarder () doit wisc edu>
Date: Tue, 02 Mar 2004 14:22:40 -0600
On Feb 29, 2004, at 8:48 AM, Shimon Silberschlag wrote:
When designing a new internet architecture, we are debating the use ofeither a physical switch per segment, as was traditionally recommended by the majority of readers on this list, and using a big switch combined with an on-switch FW that controls traffic down to a port granularity (e.g. theCisco FWSM enclosed in the 6500 switch).
I personally believe that the idea of separating vlans onto separate switches is fueled by paranoia and inferior switch architectures. Separating vlans onto their own switches does not scale. If it does for your environment, I
envy you :-) There are economies of scale in having bigger switches with more vlans, and trunking between them. The 6500 series switches and competing products are marketed towards that idea.
What would be the current group recommendations WRT to such a setup, taking into account that the usual "don't trust VLANS to separate your segments" ismitigated by using the FWSM to enforce the separation policy?
The switch enforces the separation policy between vlans. The FWSM is a firewall between vlans. On Feb 29, 2004, at 2:00 PM, David Lang wrote:
the FWSM provides a way to allow additional traffic to pass between VLANS, but does it really prevent things from happening that would happen if theFWSM wasn't in the switch?
How do you allow *additional* traffic to pass between VLANS? Sorry, butI'm not 100% clear on your question. The FWSM would let you pass an equal or less amount of traffic than you already were passing. It's a firewall. Since you're already routing between vlans, the FWSM (running 1.1 software) routes
for you as well.A firewall is a firewall regardless of whether you put it in the same chassis as a switch or not. The FWSM uses internal trunking, sort of similar to how the
MSFC and supervisor coexist on the 6500/7600 platform.
my understanding is that functionally (except possibly for speed) this is the same thing as assigning one port on each VLAN to a external firewall(running the same software, FW1 IIRC)
FWSM runs software which is PIX-derived. The FWSM can also deal with multiple vlans. On Mar 1, 2004, at 5:33 AM, Shimon Silberschlag wrote:
What about 6500 with FWSM? does resetting the config prevents it from seeing any traffic?
With the 1.1 version of code for FWSM the blade acts as a router for the vlans assigned to it. So, if you did something horrible to the FWSM config, your vlans would be isolated. Out of the box, the FWSM does not let any traffic through.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Multiple small switches vs. a single big one; Granularity of control David Lang (Mar 01)
- Re: Multiple small switches vs. a single big one; Granularity of control Shimon Silberschlag (Mar 01)
- Re: Multiple small switches vs. a single big one; Granularity of control Krzysztof Gajdemski (Mar 02)
- Re: Multiple small switches vs. a single big one; Granularity of control Krzysztof Gajdemski (Mar 02)
- Re: Multiple small switches vs. a single big one; Granularity of control Dale W. Carder (Mar 04)
- Re: Multiple small switches vs. a single big one; Granularity of control David Lang (Mar 04)
- Re: Multiple small switches vs. a single big one; Granularity of control Shimon Silberschlag (Mar 04)
- Re: Multiple small switches vs. a single big one; Granularity of control Krzysztof Gajdemski (Mar 02)
- Re: Multiple small switches vs. a single big one; Granularity of control Shimon Silberschlag (Mar 01)