Solved

VLAN conundrum.

Posted on 2014-01-03
7
375 Views
Last Modified: 2016-11-23
Hi All

I have a wee puzzle on my blade enclosure (M1000) and switches (Dell 6220 x 4 ) with ex virternal Dell switches (6224 x 2).  The Blades host VMware virtual machines.   The current set up is:  The 6220 switches have a number of VLANs which are combined in a single Trunk to the external 6224 switches which then go to their relative physical devices.      The question now is:  I need to add a DMZ to service my virtual servers, what are my options?  

1. Create another VLAN on the 6220 switches and use the trunk to the 6224 switches and create a VLAN with no route to connect to the Firewall?

2. Create a VLAN on the 6220 switches and connect it directly to an aggregation switch then connect it to the Firewall?

3. Something Else?

Any help would be appreciated.
0
Comment
Question by:Eric
7 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39753670
Since you already have the trunk why choose for the aggregation?
0
 
LVL 17

Assisted Solution

by:Spartan_1337
Spartan_1337 earned 150 total points
ID: 39753675
1. Not recommended or best practice. You don't want to mix DMZ traffic with internal (regardless of VLAN segregation) on a trunk uplink.

2. If you have free ports on the blade, just set two NIC's for DMZ access only and then you can either put on 6220 or a DMZ switch.
0
 
LVL 27

Assisted Solution

by:Steve
Steve earned 50 total points
ID: 39753744
The guys above are right to question this validity of having DMZ traffic flowing via the same connections as 'internal' traffic. This is not ideal.

do you have enough NICs to allow a separate connection to the DMZ?

Just set up a new virtual switch in ESX and link it to the new NIC(s). This separates the traffic and ensures only VMs connected to it are exposed to the DMZ traffic.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 57

Expert Comment

by:giltjr
ID: 39753748
I agree with Spartan_1337.

If possible separate physical connections between the 6220 and 6224 on a separate VLAN.  The ports for this VLAN between the 6220 and 6224 should be access mode, not trunk mode.

Then between the 6224 and the firewall you have a few options:

1) Put the DMZ on the same VLAN that the firewall is on and point your DMZ hosts to the inside interface of the firewall as the default route.

2) If your firewall has a additional interface, connect it to the 6224.  Setup a new VLAN and put the DMZ hosts and this interface on that VLAN.  The DMZ hosts will point to the inside interface's IP address of the new VLAN as their default route.

3) Put the DMZ hosts on a new VLAN/IP subnet, setup a L3 SVI on the 6224, have the DMZ hosts point to this as their default route, and use the 6224 as a router between the DMZ network and the firewall.  Use ACL's on the 6224 to filter traffic to/from the DMZ.

The 3rd options allows internal users to access the DMZ hosts without having to go through the firewall.   This will reduce the overhead on your firewall, but adds overhead to your 6224.  Just depends on how much internal traffic to/from the DMZ you will have and what firewall you have.
0
 

Author Comment

by:Eric
ID: 39753980
Hi All

Thank you for all the suggestions and information

@giltgr and Spartan_1337 - I have spare NICs on the blades and spare ports on the enclosure 6220 switches but I don't have enough spare ports on the 6224 switches - hence the question of directly attaching to an unmanaged aggregation switch before the firewall.  I think suggestion 2 might be the way I need to go as I have a DMZ connection on the Firewall.  I don't anticipate a large amount of traffic as it is a HA/DR site.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 300 total points
ID: 39754020
Since you don't have enough ports on the 6224, if the DMZ port on the firewall is not in use, you could connect it directly to a port on the 6220.  This does mean you have one path out from the Blade Center.

Although it is not recommended, you can technically add the DMZ VLAN to the trunk between the 6220 and 6224 and do #1.   This way all  DMZ traffic (inside and outside) is forced through the firewall.  Not the most secure setup, but not bad.  If you are doing this, I would make sure that VLAN 1 is NOT your native vlan.  In fact I would make sure that you do not use VLAN 1 anyplace at all.

As more vendors harden their VLAN code in L2 and L3 switches, it is becoming harder to "jump" VLAN's.
0
 

Author Closing Comment

by:Eric
ID: 39754076
Many thanks to All for your suggestions and input - I may have to use an amalgam of a few of the suggestions to achieve my end goal, but I think the suggestion from giltjr is most helpful.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now