04-18-2014 01:54 PM
I have a ICX6450-24, version 7.4.0b, that will be used in router mode for an external switch/router position.
I will have a future need for a DMZ coming off of my firewall. Can I safely use some of the ports on this switch in a separate VLAN? This will be my first forway into using this box as a router, and then also wanting a private vlan.
I don't want it to leek out through the routing functionality. In reading the config guide, I think I want to use the isolated private vlan.
Am I thinking the right way here, or am I overthinking this and just need to not assign a ve interface to the vlan.
Any confirmations or correctlons would be appreciated.
04-21-2014 05:31 PM - edited 04-21-2014 05:32 PM
While I haven't done any sophisticated leak tests, our FCX switches run the same Fastiron software and we configure isolated VLANs simply by not including a ve interface.
The devices on an isolated VLAN can see only each other. I can't ping them from the switch or another VLAN.
I can't guarantee the NSA doesn't know how to cause leakage, and the FCX (and probably ICX) support "lawful intercept," but if you restrict admin access to your switch, I'd expect your DMZ to be reasonably safe from VLAN-jumping. Hackers usually find it easier and more productive to get a human to click a link and install something to attack from inside. If you control a sysadmin's machine, why bother with VLANs?