Trunking or multiple connections on different vlan
Hi everyone,
I am starting on a hyper-v project. I have just worked the vlan's and networkadapters out, but I am having "problems" with the switch. My network will have 4 networks:
* LAN
* Backup
* Management for networdevices and hyper-v server
* DMZ network
I am going to implement vlan's on the switch for each of these networks. I think this is a good implementation?
But what happens to the connection from the firewall to the switch? Do I need a seperate connection to each vlan on the switch? I think this is necessary for the following reasons but I am not sure:
*LAN: well the clients need to have internet access so they need a connection to the firewall
*Backup: A backup server will be present at another location. So the backup vlan should be
connected to the firewall so replication to another backupserver over the internet is
possible.
*DMZ: The firewall is directly connected to a NIC on the hyper-v server because it hosts a
virtual webserver which needs to be put into a dmz.
*Management: Just so I can the firewall an IP-address in this vlan and I can manage it only when I have connection to this vlan.
I was thinking about just 1 trunking interface but will it be enough for the load and will this also work? What are the good and bad things about trunking?
I hope you can help me.
drawing.png
I am starting on a hyper-v project. I have just worked the vlan's and networkadapters out, but I am having "problems" with the switch. My network will have 4 networks:
* LAN
* Backup
* Management for networdevices and hyper-v server
* DMZ network
I am going to implement vlan's on the switch for each of these networks. I think this is a good implementation?
But what happens to the connection from the firewall to the switch? Do I need a seperate connection to each vlan on the switch? I think this is necessary for the following reasons but I am not sure:
*LAN: well the clients need to have internet access so they need a connection to the firewall
*Backup: A backup server will be present at another location. So the backup vlan should be
connected to the firewall so replication to another backupserver over the internet is
possible.
*DMZ: The firewall is directly connected to a NIC on the hyper-v server because it hosts a
virtual webserver which needs to be put into a dmz.
*Management: Just so I can the firewall an IP-address in this vlan and I can manage it only when I have connection to this vlan.
I was thinking about just 1 trunking interface but will it be enough for the load and will this also work? What are the good and bad things about trunking?
I hope you can help me.
drawing.png
Soulja
I assume the firewall is routing for the vlans correct. If it support 802.1q then I don't see a reason not to trunk. If it supports multiple ip'd interfaces which would server as the gateways for each vlan, and you have the available ports, then I would just go that route.
The architecture usually depends on the firewall and how many ports you have available. Typical implementation of a 3 or 4 port firewall using a single switch with multiple VLANs is as follows:
Interfaces:
IN (LAN)
Out (Internet)
DMZ
I wouldn't recommend the Hyper-V server to be directly connected to the Firewall. It only needs to be connected to a switch port with the same VLAN as the Firewall's DMZ interface that's also connected to the switch.
In addition, depending if you have a layer 2 or layer 3 switch will help determine other architectural options; primarily where is your interVLAN routing going to happen on the L3 switch side or on the firewall with a L2 switch? If you have an L2 switch then 802.1q trunking (VLAN tagging) will be necessary for each of the VLANs you described - routing controlled at the firewall level. So, for most of the VLANs that fall on the LAN side you can setup a trunk port. As for the DMZ, my preference usually is to have the DMZ on it's own interface, but not an issue if you don't have a port available.
Trunking 1 or multiple interfaces? This will depend on your network bandwidth and the amount of traffic expected to go to each network. Also, there are other factors that depend on the size of your environment (Number of Users, Internet based (DMZ) Servers, and Expected Inbound and Outbound Internet traffic).
Interfaces:
IN (LAN)
Out (Internet)
DMZ
I wouldn't recommend the Hyper-V server to be directly connected to the Firewall. It only needs to be connected to a switch port with the same VLAN as the Firewall's DMZ interface that's also connected to the switch.
In addition, depending if you have a layer 2 or layer 3 switch will help determine other architectural options; primarily where is your interVLAN routing going to happen on the L3 switch side or on the firewall with a L2 switch? If you have an L2 switch then 802.1q trunking (VLAN tagging) will be necessary for each of the VLANs you described - routing controlled at the firewall level. So, for most of the VLANs that fall on the LAN side you can setup a trunk port. As for the DMZ, my preference usually is to have the DMZ on it's own interface, but not an issue if you don't have a port available.
Trunking 1 or multiple interfaces? This will depend on your network bandwidth and the amount of traffic expected to go to each network. Also, there are other factors that depend on the size of your environment (Number of Users, Internet based (DMZ) Servers, and Expected Inbound and Outbound Internet traffic).
ASKER
Hi Soulja and gsmartin, thanks for the suggestions.
@gsmartin: So I would contact the hyper-v server in the same VLAN as the dmz? At this moment I have directly connected a NIC on my server to the DMZ port on the firewall. Is it safe to put the hyper-v server in the DMZ and what is really the difference with putting it directly in contact with the firewall?
Actually intervlan routing is not neccessary for me. Everything should work with the vlan's having to communicate with eachother. This is also the reason why I hooked up the hyper-V server to the firewall so I could use port forwarding to rdp to this server. With this set-up the client in the LAN-network are unable to ping the physical server and are acutally unaware of its excistance.
The description of the switch says that it is a L2 switch, but I can change the port-access to Layer3.. How can I see if the switch is layer 2 or layer 3?
@gsmartin: So I would contact the hyper-v server in the same VLAN as the dmz? At this moment I have directly connected a NIC on my server to the DMZ port on the firewall. Is it safe to put the hyper-v server in the DMZ and what is really the difference with putting it directly in contact with the firewall?
Actually intervlan routing is not neccessary for me. Everything should work with the vlan's having to communicate with eachother. This is also the reason why I hooked up the hyper-V server to the firewall so I could use port forwarding to rdp to this server. With this set-up the client in the LAN-network are unable to ping the physical server and are acutally unaware of its excistance.
The description of the switch says that it is a L2 switch, but I can change the port-access to Layer3.. How can I see if the switch is layer 2 or layer 3?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.