https://live.paloaltonetworks.com/t5/advanced-threat-prevention/2960x-wan-and-dmz-on-same-switch-separated-by-vlans/m-p/389527#M1084 <P class="_1qeIAgB0cPwnLhDF9XSiJM">the title says it pretty much. Trying to consolidate a 24 port switch that only uses 3 ports with another 24 port that is only using 2 ports.</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">How safe/comfortable would you be if you used the same switch for DMZ and WAN traffic, but separate them by VLAN, and strict access trunks to a firewall?</P> Thu, 02 Dec 2021 00:34:56 GMT Joshua2215 2021-12-02T00:34:56Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/2960x-wan-and-dmz-on-same-switch-separated-by-vlans/m-p/389527#M1084 <P class="_1qeIAgB0cPwnLhDF9XSiJM">the title says it pretty much. Trying to consolidate a 24 port switch that only uses 3 ports with another 24 port that is only using 2 ports.</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">How safe/comfortable would you be if you used the same switch for DMZ and WAN traffic, but separate them by VLAN, and strict access trunks to a firewall?</P> Thu, 02 Dec 2021 00:34:56 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/2960x-wan-and-dmz-on-same-switch-separated-by-vlans/m-p/389527#M1084 Joshua2215 2021-12-02T00:34:56Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/2960x-wan-and-dmz-on-same-switch-separated-by-vlans/m-p/389539#M1086 <P>Hi,</P><P>It's always strongly recommended to use different layer 2/layer3 switches for WAN links and DMZ servers connectivity.</P><P>&nbsp;</P><P>&nbsp;</P><P>Best Regards,</P><P>Suresh</P><P>&nbsp;</P> Sat, 06 Mar 2021 15:47:57 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/2960x-wan-and-dmz-on-same-switch-separated-by-vlans/m-p/389539#M1086 SureshReddyM 2021-03-06T15:47:57Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/2960x-wan-and-dmz-on-same-switch-separated-by-vlans/m-p/389596#M1087 <P>Hi,</P><P>&nbsp;</P><P>It's not about how many ports are using or not using. It's about security. How much security you are providing for your server or servers in DMZ&nbsp; and your wan interfaces are entry for all your outside (untrust ) traffic enter point ie inbound traffic. There are couple chances that attackers can initiate DOS or DDOS /flooding mechanism like syn and ip etc and also there is chance that ip spoofing or Mac spoofing or any one of above will down your network interface and it's tough to troubleshoot when even you get an issue or traffic issue. And also think about redudnacy solution all wan and DMZ are dependent on same switch also loop hole in design.</P><P>&nbsp;</P><P>That's a reason I recommend to use two different or staked redudnat switches towards both links.</P><P>&nbsp;</P><P>Best Regards,</P><P>Suresh</P><P>&nbsp;</P> Sun, 07 Mar 2021 16:42:36 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/2960x-wan-and-dmz-on-same-switch-separated-by-vlans/m-p/389596#M1087 SureshReddyM 2021-03-07T16:42:36Z