On Fri, 21 Mar 2003, Paulo Roque wrote: > I usually separate firewall zone with different physical LAN in different > switches. > What do you think of separating firewall zone with VLANs in the same > switch/chassis?
Generally a very bad idea! I fully agree with physical seperation. Because if it's based on VLANs then they only have to compromise the switch to compromise the entire network. Also because there are new layer 2 techniques that can allow a packet to hop across VLANs. These are the only things that worry me about the FW module for the 6500 chassis. It's based on VLANs. So if I can hop VLANs somewhere then I can bypass the firewall. Andrew --- http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate "Learn from the mistakes of others. You won't live long enough to make all of them yourself." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65944&t=65938 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
