Cisco Cisco IPS 4520 Sensor Weißbuch
15
Firewall
August 2012 Series
15
Configuring Management DMZ
Process
The firewall’s demilitarized zone (DMZ) is a portion of the network where,
typically, traffic to and from other parts of the network is tightly restricted.
Organizations place network services in a DMZ for exposure to the Internet.
These devices are typically not allowed to initiate connections to the internal
network, except for specific circumstances.
typically, traffic to and from other parts of the network is tightly restricted.
Organizations place network services in a DMZ for exposure to the Internet.
These devices are typically not allowed to initiate connections to the internal
network, except for specific circumstances.
One of those special circumstances is for device management. However, the
security policy on the firewall must still limit what traffic should be allowed
inside from the DMZ because devices in the DMZ can be a security risk for
the internal network.
security policy on the firewall must still limit what traffic should be allowed
inside from the DMZ because devices in the DMZ can be a security risk for
the internal network.
To ease the configuration of the security policy, create a DMZ dedicated for
the management of devices that are connected only to the DMZ or outside
the firewall.
the management of devices that are connected only to the DMZ or outside
the firewall.
The DMZ network is connected to the appliances on the appliances’ Gigabit
Ethernet interface via a VLAN trunk in order to allow the greatest flexibility
if new VLANs must be added in order to connect additional DMZs. In this
architecture, the trunk connects the appliances to a 3750x switch stack that
provides resiliency.
Ethernet interface via a VLAN trunk in order to allow the greatest flexibility
if new VLANs must be added in order to connect additional DMZs. In this
architecture, the trunk connects the appliances to a 3750x switch stack that
provides resiliency.
The DMZ interface on the Cisco ASA is assigned an IP address, which will
be the default gateway for each DMZ network. The DMZ switch is configured
to offer Layer-2 switching capability only; the DMZ switch does not have a
switched virtual interface (SVI) for any VLAN, except for the management
DMZ VLAN. This SVI is used for the management of the switch.
be the default gateway for each DMZ network. The DMZ switch is configured
to offer Layer-2 switching capability only; the DMZ switch does not have a
switched virtual interface (SVI) for any VLAN, except for the management
DMZ VLAN. This SVI is used for the management of the switch.
Figure 6 - DMZ VLAN topology and services
3004
Management
Conne
ction
DMZ VLAN
Trunk
DMZ
Switches
Distribution
Switches
Cisco ASA
Internet
Procedure 1
Configure the DMZ switch
The DMZ switch in this deployment is a pair of 3750X switches in a stacked
configuration. The configuration below is complete for the features required
for the DMZ switch. This configuration is taken from the Cisco SBA—
configuration. The configuration below is complete for the features required
for the DMZ switch. This configuration is taken from the Cisco SBA—
Borderless Networks LAN Deployment Guide.
Step 1:
Set the stack master switch.
switch
[switch number]
priority 15
Step 2:
Run the
stack-mac persistent timer 0
command to ensure that the
original master MAC address remains the stack MAC address after a failure.
stack-mac persistent timer 0
Step 3:
To make consistent deployment of QoS easier, each platform
defines a macro that you will use in later procedures to apply the platform-
specific QoS configuration. Because AutoQoS might not be configured on
this device, run the following commands to manually configure the global
QoS settings:
specific QoS configuration. Because AutoQoS might not be configured on
this device, run the following commands to manually configure the global
QoS settings:
mls qos map policed-dscp 0 10 18 to 8
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30