Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 389
  • Last Modified:

VLAN conundrum.

Hi All

I have a wee puzzle on my blade enclosure (M1000) and switches (Dell 6220 x 4 ) with ex virternal Dell switches (6224 x 2).  The Blades host VMware virtual machines.   The current set up is:  The 6220 switches have a number of VLANs which are combined in a single Trunk to the external 6224 switches which then go to their relative physical devices.      The question now is:  I need to add a DMZ to service my virtual servers, what are my options?  

1. Create another VLAN on the 6220 switches and use the trunk to the 6224 switches and create a VLAN with no route to connect to the Firewall?

2. Create a VLAN on the 6220 switches and connect it directly to an aggregation switch then connect it to the Firewall?

3. Something Else?

Any help would be appreciated.
0
Eric
Asked:
Eric
3 Solutions
 
Zephyr ICTCloud ArchitectCommented:
Since you already have the trunk why choose for the aggregation?
0
 
James HIT DirectorCommented:
1. Not recommended or best practice. You don't want to mix DMZ traffic with internal (regardless of VLAN segregation) on a trunk uplink.

2. If you have free ports on the blade, just set two NIC's for DMZ access only and then you can either put on 6220 or a DMZ switch.
0
 
SteveCommented:
The guys above are right to question this validity of having DMZ traffic flowing via the same connections as 'internal' traffic. This is not ideal.

do you have enough NICs to allow a separate connection to the DMZ?

Just set up a new virtual switch in ESX and link it to the new NIC(s). This separates the traffic and ensures only VMs connected to it are exposed to the DMZ traffic.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
giltjrCommented:
I agree with Spartan_1337.

If possible separate physical connections between the 6220 and 6224 on a separate VLAN.  The ports for this VLAN between the 6220 and 6224 should be access mode, not trunk mode.

Then between the 6224 and the firewall you have a few options:

1) Put the DMZ on the same VLAN that the firewall is on and point your DMZ hosts to the inside interface of the firewall as the default route.

2) If your firewall has a additional interface, connect it to the 6224.  Setup a new VLAN and put the DMZ hosts and this interface on that VLAN.  The DMZ hosts will point to the inside interface's IP address of the new VLAN as their default route.

3) Put the DMZ hosts on a new VLAN/IP subnet, setup a L3 SVI on the 6224, have the DMZ hosts point to this as their default route, and use the 6224 as a router between the DMZ network and the firewall.  Use ACL's on the 6224 to filter traffic to/from the DMZ.

The 3rd options allows internal users to access the DMZ hosts without having to go through the firewall.   This will reduce the overhead on your firewall, but adds overhead to your 6224.  Just depends on how much internal traffic to/from the DMZ you will have and what firewall you have.
0
 
EricIT Systems and Asset ManagerAuthor Commented:
Hi All

Thank you for all the suggestions and information

@giltgr and Spartan_1337 - I have spare NICs on the blades and spare ports on the enclosure 6220 switches but I don't have enough spare ports on the 6224 switches - hence the question of directly attaching to an unmanaged aggregation switch before the firewall.  I think suggestion 2 might be the way I need to go as I have a DMZ connection on the Firewall.  I don't anticipate a large amount of traffic as it is a HA/DR site.
0
 
giltjrCommented:
Since you don't have enough ports on the 6224, if the DMZ port on the firewall is not in use, you could connect it directly to a port on the 6220.  This does mean you have one path out from the Blade Center.

Although it is not recommended, you can technically add the DMZ VLAN to the trunk between the 6220 and 6224 and do #1.   This way all  DMZ traffic (inside and outside) is forced through the firewall.  Not the most secure setup, but not bad.  If you are doing this, I would make sure that VLAN 1 is NOT your native vlan.  In fact I would make sure that you do not use VLAN 1 anyplace at all.

As more vendors harden their VLAN code in L2 and L3 switches, it is becoming harder to "jump" VLAN's.
0
 
EricIT Systems and Asset ManagerAuthor Commented:
Many thanks to All for your suggestions and input - I may have to use an amalgam of a few of the suggestions to achieve my end goal, but I think the suggestion from giltjr is most helpful.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now