Your VLANs are supposed to be on different subnets, so the setup seems legit. I don't know of any Layer 2 holes under this scenario. Now the issue is ACLs in your FW/Router. Are they tight? Layer 3 is where you're going to have all your security issues. On 1/31/07, Darrin Chandler wrote: > > On Wed, Jan 31, 2007 at 05:38:44PM -0600, JT Moree wrote: > > Does anyone know enough about VLANs on a Cisco Catalyst 4506 switch to > explain > > the security implications of this setup: > > > > 2 VLANs > > VLAN 1 - internal servers > > VLAN 2 - DMZ > > > > Given that the dmz is to keep the dmz servers separated from the > internal > > network would this be a secure setup? Are there any holes in the VLAN > > architecture that would make this a BAD idea? > > > > One caveat. right now we have a cisco firewall which routes between two > > different switches for dmz and internal. I realize a breach in cisco > security > > would be a problem in BOTH situations. > > Seems that you already understand the issues. ;) The VLAN stuff *should* > be > fine, really. > > But how are you going to route stuff between the VLANs? Still need a > router after all? > > -- > Darrin Chandler | Phoenix BSD Users Group > dwchandler@stilyagin.com | http://bsd.phoenix.az.us/ > http://www.stilyagin.com/darrin/ | > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- http://spindomains.us/