Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Trunking or multiple connections on different vlan

Posted on 2011-09-15
Medium Priority
Last Modified: 2012-05-12
Hi everyone,

I am starting on a hyper-v project. I have just worked the vlan's and networkadapters out, but I am having "problems" with the switch. My network will have 4 networks:
* Backup
* Management for networdevices and hyper-v server
* DMZ network

I am going to implement vlan's on the switch for each of these networks. I think this is a good implementation?
But what happens to the connection from the firewall to the switch? Do I need a seperate connection to each vlan on the switch? I think this is necessary for the following reasons but I am not sure:
*LAN: well the clients need to have internet access so they need a connection to the firewall
*Backup: A backup server will be present at another location. So the backup vlan should be
               connected to the firewall so replication to another backupserver over the internet is
*DMZ: The firewall is directly connected to a NIC on the hyper-v server because it hosts a
            virtual webserver which needs to be put into a dmz.
*Management: Just so I can the firewall an IP-address in this vlan and I can manage it only when I have connection to this vlan.

I was thinking about just 1 trunking interface but will it be enough for the load and will this also work? What are the good and bad things about trunking?

I hope you can help me.
Question by:Silencer001
  • 2
LVL 26

Expert Comment

ID: 36547099
I assume the firewall is routing for the vlans correct. If it support 802.1q then I don't see a reason not to trunk. If it supports multiple ip'd interfaces which would server as the gateways for each vlan, and you have the available ports, then I would just go that route.

Expert Comment

ID: 36551297
The architecture usually depends on the firewall and how many ports you have available.  Typical implementation of a 3 or 4 port firewall using a single switch with multiple VLANs is as follows:
 IN  (LAN)  
 Out (Internet)  

I wouldn't recommend the Hyper-V server to be directly connected to the Firewall.  It only needs to be connected to a switch port with the same VLAN as the Firewall's DMZ interface that's also connected to the switch.  

In addition, depending if you have a layer 2 or layer 3 switch will help determine other architectural options; primarily where is your interVLAN routing going to happen on the L3 switch side or on the firewall with a L2 switch?  If you have an L2 switch then 802.1q trunking (VLAN tagging) will be necessary for each of the VLANs you described - routing controlled at the firewall level.  So, for most of the VLANs that fall on the LAN side you can setup a trunk port.  As for the DMZ, my preference usually is to have the DMZ on it's own interface, but not an issue if you don't have a port available.  

Trunking 1 or multiple interfaces?  This will depend on your network bandwidth and the amount of traffic expected to go to each network.  Also, there are other factors that depend on the size of your environment (Number of Users, Internet based (DMZ) Servers, and Expected Inbound and Outbound Internet traffic).

Author Comment

ID: 36558972
Hi Soulja and gsmartin, thanks for the suggestions.

@gsmartin: So I would contact the hyper-v server in the same VLAN as the dmz? At this moment I have directly connected a NIC on my server to the DMZ port on the firewall. Is it safe to put the hyper-v server in the DMZ and what is really the difference with putting it directly in contact with the firewall?

Actually intervlan routing is not neccessary for me. Everything should work with the vlan's having to communicate with eachother. This is also the reason why I hooked up the hyper-V server to the firewall so I could use port forwarding to rdp to this server. With this set-up the client in the LAN-network are unable to ping the physical server and are acutally unaware of its excistance.

The description of the switch says that it is a L2 switch, but I can change the port-access to Layer3.. How can I see if the switch is layer 2 or layer 3?

Accepted Solution

gsmartin earned 1000 total points
ID: 36954402
Sorry, I have been tied up with projects.

"Actually intervlan routing is not necessary for me. Everything should work with the VLAN's having to communicate with each other."

Just to clarify your statement.  The only way VLANs can communicate with each other in the (typical sense - with exception of ESX vSwitches) is with some form of layer 3 connectivity (router, firewall, etc...).  Layer 2 protects and isolates VLANs from each other.  InterVLAN routing is only necessary internally, and should not be used for DMZ and Outside (Firewall) Interfaces.  Typically, you would only do Layer 3 InterVLAN routing between internal VLANs that require communication.  Select Internal traffic can be allowed to communicate through the firewall to DMZ resources and/or out to the Outside Interface to the Internet.

Honestly, I have not worked with Hyper-V much, but conceptually it shouldn't be much different then VMware's ESX in regards to networking (not exactly sure)..?  Basically, with an ESX hypervisor you have either a single or multiple network interfaces that can be applied to virtual switches.  Each virtual switch can be assigned 1 or more VLANs (depending on your configuration), and virtual machines can talk to each other between v-switches on the same ESX host.  Assuming Hyper-V has similar traits, you technically would want to isolate your Hyper-V environments from each other.  i.e. you may have a group or two of Hyper-V servers for the internal use and communication, plus another for you DMZ environment, etc...  This would be best practices for security purposes.

e.g. http://www.vmware.com/technical-resources/virtual-networking/networking-basics.html

Another option:  You can have all servers and/or Hyper-V servers on the inside your network communicating (over Layer 3 protocols) internally using  InterVLAN routing and then mapping traffic via the firewall.  In turn, NATing specific IP's or ranges through the Firewall to inside of your network and vice versa.  This is how we configure most of our corporate resources, but whereas most product ion resources are configured on the firewall (out off the DMZ).        

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question