Solved

VLAN conundrum.

Posted on 2014-01-03
7
377 Views
Last Modified: 2016-11-23
Hi All

I have a wee puzzle on my blade enclosure (M1000) and switches (Dell 6220 x 4 ) with ex virternal Dell switches (6224 x 2).  The Blades host VMware virtual machines.   The current set up is:  The 6220 switches have a number of VLANs which are combined in a single Trunk to the external 6224 switches which then go to their relative physical devices.      The question now is:  I need to add a DMZ to service my virtual servers, what are my options?  

1. Create another VLAN on the 6220 switches and use the trunk to the 6224 switches and create a VLAN with no route to connect to the Firewall?

2. Create a VLAN on the 6220 switches and connect it directly to an aggregation switch then connect it to the Firewall?

3. Something Else?

Any help would be appreciated.
0
Comment
Question by:Eric
7 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39753670
Since you already have the trunk why choose for the aggregation?
0
 
LVL 17

Assisted Solution

by:Spartan_1337
Spartan_1337 earned 150 total points
ID: 39753675
1. Not recommended or best practice. You don't want to mix DMZ traffic with internal (regardless of VLAN segregation) on a trunk uplink.

2. If you have free ports on the blade, just set two NIC's for DMZ access only and then you can either put on 6220 or a DMZ switch.
0
 
LVL 27

Assisted Solution

by:Steve
Steve earned 50 total points
ID: 39753744
The guys above are right to question this validity of having DMZ traffic flowing via the same connections as 'internal' traffic. This is not ideal.

do you have enough NICs to allow a separate connection to the DMZ?

Just set up a new virtual switch in ESX and link it to the new NIC(s). This separates the traffic and ensures only VMs connected to it are exposed to the DMZ traffic.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 57

Expert Comment

by:giltjr
ID: 39753748
I agree with Spartan_1337.

If possible separate physical connections between the 6220 and 6224 on a separate VLAN.  The ports for this VLAN between the 6220 and 6224 should be access mode, not trunk mode.

Then between the 6224 and the firewall you have a few options:

1) Put the DMZ on the same VLAN that the firewall is on and point your DMZ hosts to the inside interface of the firewall as the default route.

2) If your firewall has a additional interface, connect it to the 6224.  Setup a new VLAN and put the DMZ hosts and this interface on that VLAN.  The DMZ hosts will point to the inside interface's IP address of the new VLAN as their default route.

3) Put the DMZ hosts on a new VLAN/IP subnet, setup a L3 SVI on the 6224, have the DMZ hosts point to this as their default route, and use the 6224 as a router between the DMZ network and the firewall.  Use ACL's on the 6224 to filter traffic to/from the DMZ.

The 3rd options allows internal users to access the DMZ hosts without having to go through the firewall.   This will reduce the overhead on your firewall, but adds overhead to your 6224.  Just depends on how much internal traffic to/from the DMZ you will have and what firewall you have.
0
 

Author Comment

by:Eric
ID: 39753980
Hi All

Thank you for all the suggestions and information

@giltgr and Spartan_1337 - I have spare NICs on the blades and spare ports on the enclosure 6220 switches but I don't have enough spare ports on the 6224 switches - hence the question of directly attaching to an unmanaged aggregation switch before the firewall.  I think suggestion 2 might be the way I need to go as I have a DMZ connection on the Firewall.  I don't anticipate a large amount of traffic as it is a HA/DR site.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 300 total points
ID: 39754020
Since you don't have enough ports on the 6224, if the DMZ port on the firewall is not in use, you could connect it directly to a port on the 6220.  This does mean you have one path out from the Blade Center.

Although it is not recommended, you can technically add the DMZ VLAN to the trunk between the 6220 and 6224 and do #1.   This way all  DMZ traffic (inside and outside) is forced through the firewall.  Not the most secure setup, but not bad.  If you are doing this, I would make sure that VLAN 1 is NOT your native vlan.  In fact I would make sure that you do not use VLAN 1 anyplace at all.

As more vendors harden their VLAN code in L2 and L3 switches, it is becoming harder to "jump" VLAN's.
0
 

Author Closing Comment

by:Eric
ID: 39754076
Many thanks to All for your suggestions and input - I may have to use an amalgam of a few of the suggestions to achieve my end goal, but I think the suggestion from giltjr is most helpful.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
extended monitor print screen 8 33
Problem to App source 6 40
Problem to Alipay 10 22
Password manager for small company 3 15
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question