?
Solved

VLAN conundrum.

Posted on 2014-01-03
7
Medium Priority
?
384 Views
Last Modified: 2016-11-23
Hi All

I have a wee puzzle on my blade enclosure (M1000) and switches (Dell 6220 x 4 ) with ex virternal Dell switches (6224 x 2).  The Blades host VMware virtual machines.   The current set up is:  The 6220 switches have a number of VLANs which are combined in a single Trunk to the external 6224 switches which then go to their relative physical devices.      The question now is:  I need to add a DMZ to service my virtual servers, what are my options?  

1. Create another VLAN on the 6220 switches and use the trunk to the 6224 switches and create a VLAN with no route to connect to the Firewall?

2. Create a VLAN on the 6220 switches and connect it directly to an aggregation switch then connect it to the Firewall?

3. Something Else?

Any help would be appreciated.
0
Comment
Question by:Eric
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39753670
Since you already have the trunk why choose for the aggregation?
0
 
LVL 17

Assisted Solution

by:James H
James H earned 600 total points
ID: 39753675
1. Not recommended or best practice. You don't want to mix DMZ traffic with internal (regardless of VLAN segregation) on a trunk uplink.

2. If you have free ports on the blade, just set two NIC's for DMZ access only and then you can either put on 6220 or a DMZ switch.
0
 
LVL 27

Assisted Solution

by:Steve
Steve earned 200 total points
ID: 39753744
The guys above are right to question this validity of having DMZ traffic flowing via the same connections as 'internal' traffic. This is not ideal.

do you have enough NICs to allow a separate connection to the DMZ?

Just set up a new virtual switch in ESX and link it to the new NIC(s). This separates the traffic and ensures only VMs connected to it are exposed to the DMZ traffic.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 57

Expert Comment

by:giltjr
ID: 39753748
I agree with Spartan_1337.

If possible separate physical connections between the 6220 and 6224 on a separate VLAN.  The ports for this VLAN between the 6220 and 6224 should be access mode, not trunk mode.

Then between the 6224 and the firewall you have a few options:

1) Put the DMZ on the same VLAN that the firewall is on and point your DMZ hosts to the inside interface of the firewall as the default route.

2) If your firewall has a additional interface, connect it to the 6224.  Setup a new VLAN and put the DMZ hosts and this interface on that VLAN.  The DMZ hosts will point to the inside interface's IP address of the new VLAN as their default route.

3) Put the DMZ hosts on a new VLAN/IP subnet, setup a L3 SVI on the 6224, have the DMZ hosts point to this as their default route, and use the 6224 as a router between the DMZ network and the firewall.  Use ACL's on the 6224 to filter traffic to/from the DMZ.

The 3rd options allows internal users to access the DMZ hosts without having to go through the firewall.   This will reduce the overhead on your firewall, but adds overhead to your 6224.  Just depends on how much internal traffic to/from the DMZ you will have and what firewall you have.
0
 

Author Comment

by:Eric
ID: 39753980
Hi All

Thank you for all the suggestions and information

@giltgr and Spartan_1337 - I have spare NICs on the blades and spare ports on the enclosure 6220 switches but I don't have enough spare ports on the 6224 switches - hence the question of directly attaching to an unmanaged aggregation switch before the firewall.  I think suggestion 2 might be the way I need to go as I have a DMZ connection on the Firewall.  I don't anticipate a large amount of traffic as it is a HA/DR site.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 1200 total points
ID: 39754020
Since you don't have enough ports on the 6224, if the DMZ port on the firewall is not in use, you could connect it directly to a port on the 6220.  This does mean you have one path out from the Blade Center.

Although it is not recommended, you can technically add the DMZ VLAN to the trunk between the 6220 and 6224 and do #1.   This way all  DMZ traffic (inside and outside) is forced through the firewall.  Not the most secure setup, but not bad.  If you are doing this, I would make sure that VLAN 1 is NOT your native vlan.  In fact I would make sure that you do not use VLAN 1 anyplace at all.

As more vendors harden their VLAN code in L2 and L3 switches, it is becoming harder to "jump" VLAN's.
0
 

Author Closing Comment

by:Eric
ID: 39754076
Many thanks to All for your suggestions and input - I may have to use an amalgam of a few of the suggestions to achieve my end goal, but I think the suggestion from giltjr is most helpful.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question