Trunking or multiple connections on different vlan

Hi everyone,

I am starting on a hyper-v project. I have just worked the vlan's and networkadapters out, but I am having "problems" with the switch. My network will have 4 networks:
* Backup
* Management for networdevices and hyper-v server
* DMZ network

I am going to implement vlan's on the switch for each of these networks. I think this is a good implementation?
But what happens to the connection from the firewall to the switch? Do I need a seperate connection to each vlan on the switch? I think this is necessary for the following reasons but I am not sure:
*LAN: well the clients need to have internet access so they need a connection to the firewall
*Backup: A backup server will be present at another location. So the backup vlan should be
               connected to the firewall so replication to another backupserver over the internet is
*DMZ: The firewall is directly connected to a NIC on the hyper-v server because it hosts a
            virtual webserver which needs to be put into a dmz.
*Management: Just so I can the firewall an IP-address in this vlan and I can manage it only when I have connection to this vlan.

I was thinking about just 1 trunking interface but will it be enough for the load and will this also work? What are the good and bad things about trunking?

I hope you can help me.
Who is Participating?
gsmartinManager of ITCommented:
Sorry, I have been tied up with projects.

"Actually intervlan routing is not necessary for me. Everything should work with the VLAN's having to communicate with each other."

Just to clarify your statement.  The only way VLANs can communicate with each other in the (typical sense - with exception of ESX vSwitches) is with some form of layer 3 connectivity (router, firewall, etc...).  Layer 2 protects and isolates VLANs from each other.  InterVLAN routing is only necessary internally, and should not be used for DMZ and Outside (Firewall) Interfaces.  Typically, you would only do Layer 3 InterVLAN routing between internal VLANs that require communication.  Select Internal traffic can be allowed to communicate through the firewall to DMZ resources and/or out to the Outside Interface to the Internet.

Honestly, I have not worked with Hyper-V much, but conceptually it shouldn't be much different then VMware's ESX in regards to networking (not exactly sure)..?  Basically, with an ESX hypervisor you have either a single or multiple network interfaces that can be applied to virtual switches.  Each virtual switch can be assigned 1 or more VLANs (depending on your configuration), and virtual machines can talk to each other between v-switches on the same ESX host.  Assuming Hyper-V has similar traits, you technically would want to isolate your Hyper-V environments from each other.  i.e. you may have a group or two of Hyper-V servers for the internal use and communication, plus another for you DMZ environment, etc...  This would be best practices for security purposes.


Another option:  You can have all servers and/or Hyper-V servers on the inside your network communicating (over Layer 3 protocols) internally using  InterVLAN routing and then mapping traffic via the firewall.  In turn, NATing specific IP's or ranges through the Firewall to inside of your network and vice versa.  This is how we configure most of our corporate resources, but whereas most product ion resources are configured on the firewall (out off the DMZ).        
I assume the firewall is routing for the vlans correct. If it support 802.1q then I don't see a reason not to trunk. If it supports multiple ip'd interfaces which would server as the gateways for each vlan, and you have the available ports, then I would just go that route.
gsmartinManager of ITCommented:
The architecture usually depends on the firewall and how many ports you have available.  Typical implementation of a 3 or 4 port firewall using a single switch with multiple VLANs is as follows:
 IN  (LAN)  
 Out (Internet)  

I wouldn't recommend the Hyper-V server to be directly connected to the Firewall.  It only needs to be connected to a switch port with the same VLAN as the Firewall's DMZ interface that's also connected to the switch.  

In addition, depending if you have a layer 2 or layer 3 switch will help determine other architectural options; primarily where is your interVLAN routing going to happen on the L3 switch side or on the firewall with a L2 switch?  If you have an L2 switch then 802.1q trunking (VLAN tagging) will be necessary for each of the VLANs you described - routing controlled at the firewall level.  So, for most of the VLANs that fall on the LAN side you can setup a trunk port.  As for the DMZ, my preference usually is to have the DMZ on it's own interface, but not an issue if you don't have a port available.  

Trunking 1 or multiple interfaces?  This will depend on your network bandwidth and the amount of traffic expected to go to each network.  Also, there are other factors that depend on the size of your environment (Number of Users, Internet based (DMZ) Servers, and Expected Inbound and Outbound Internet traffic).
Silencer001Author Commented:
Hi Soulja and gsmartin, thanks for the suggestions.

@gsmartin: So I would contact the hyper-v server in the same VLAN as the dmz? At this moment I have directly connected a NIC on my server to the DMZ port on the firewall. Is it safe to put the hyper-v server in the DMZ and what is really the difference with putting it directly in contact with the firewall?

Actually intervlan routing is not neccessary for me. Everything should work with the vlan's having to communicate with eachother. This is also the reason why I hooked up the hyper-V server to the firewall so I could use port forwarding to rdp to this server. With this set-up the client in the LAN-network are unable to ping the physical server and are acutally unaware of its excistance.

The description of the switch says that it is a L2 switch, but I can change the port-access to Layer3.. How can I see if the switch is layer 2 or layer 3?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.