I've been trying to learn about DMZs. It's hard to find a technical explanation that does not dive head long into the complexities of Cisco hardware, which I'm finding confusing as I'm new to networking. Can someone explain why most internet posts I've read on making a DMZ advises to use a layer 2 switch to connect devices within it? Let say for example, I'm running a small business and in my DMZ I want to put a web server, a DNS server and a general data server that a mobile app I built is pushing and pulling data from, why is it bad to use a layer 3 switch? I've put a text based diagram below to give you an idea of the shape of DMZ
----- WEB SERVER
INTERNET ----ROUTER----- FIREWALL-----SWITCH ----- DNS SERVER
----- DATA SERVER
Best Answer
A layer-3 switch is primarily a layer-2 switch, but with a routing module in it. A layer-3 switch that is not configured with multiple networks is simply a layer-2 switch. Routers, including the routing module in a layer-3 switch, route traffic between networks. Is there any reason that you need the DMZ to be anything more that a single network?
It is likely that your servers are all simply on the same network. If you have multiple networks in the DMZ, then you would need a router or layer-3 switch in the DMZ, but then you would need to tell the first router about the networks behind the router in the DMZ, and that could be a problem.
Routers learn about routes in three ways: