Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control

From: Dale W. Carder (dwcarder_at_doit.wisc.edu)
Date: 03/02/04

  • Next message: Jason: "Re: [fw-wiz] VPN Problems between WatchGuard Firebox 700 and Netscreen 5" 
    To: Shimon Silberschlag <shimons@bll.co.il>
Date: Tue, 02 Mar 2004 14:22:40 -0600

    On Feb 29, 2004, at 8:48 AM, Shimon Silberschlag wrote:
    > When designing a new internet architecture, we are debating the use of
    > either a physical switch per segment, as was traditionally recommended
    > by
    > the majority of readers on this list, and using a big switch combined
    > with
    > an on-switch FW that controls traffic down to a port granularity (e.g.
    > the
    > Cisco FWSM enclosed in the 6500 switch).

    I personally believe that the idea of separating vlans onto separate
    switches
    is fueled by paranoia and inferior switch architectures. Separating
    vlans
    onto their own switches does not scale. If it does for your
    environment, I
    envy you :-)

    There are economies of scale in having bigger switches with more vlans,
    and trunking between them. The 6500 series switches and competing
    products are marketed towards that idea.

    > What would be the current group recommendations WRT to such a setup,
    > taking
    > into account that the usual "don't trust VLANS to separate your
    > segments" is
    > mitigated by using the FWSM to enforce the separation policy?

    The switch enforces the separation policy between vlans. The FWSM is a
    firewall between vlans.

    On Feb 29, 2004, at 2:00 PM, David Lang wrote:
    > the FWSM provides a way to allow additional traffic to pass between
    > VLANS,
    > but does it really prevent things from happening that would happen if
    > the
    > FWSM wasn't in the switch?

    How do you allow *additional* traffic to pass between VLANS? Sorry, but
    I'm not 100% clear on your question. The FWSM would let you pass an
    equal
    or less amount of traffic than you already were passing. It's a
    firewall. Since
    you're already routing between vlans, the FWSM (running 1.1 software)
    routes
    for you as well.

    A firewall is a firewall regardless of whether you put it in the same
    chassis as
    a switch or not. The FWSM uses internal trunking, sort of similar to
    how the
    MSFC and supervisor coexist on the 6500/7600 platform.

    > my understanding is that functionally (except possibly for speed) this
    > is
    > the same thing as assigning one port on each VLAN to a external
    > firewall
    > (running the same software, FW1 IIRC)

    FWSM runs software which is PIX-derived. The FWSM can also deal with
    multiple vlans.

    On Mar 1, 2004, at 5:33 AM, Shimon Silberschlag wrote:
    > What about 6500 with FWSM? does resetting the config prevents it
    > from seeing any traffic?

    With the 1.1 version of code for FWSM the blade acts as a router for
    the vlans assigned to it. So, if you did something horrible to the
    FWSM config, your vlans would be isolated. Out of the box, the FWSM
    does not let any traffic through.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Jason: "Re: [fw-wiz] VPN Problems between WatchGuard Firebox 700 and Netscreen 5"

    Relevant Pages