vlan/trunking or both?

Unanswered Question
Apr 21st, 2008

Hi All,

We have two buildings A and B next to each other running 10gb fiber (ATT) between them. Building A CAT 3560 connects to building B CAT 3570 over this fiber cable. Building A has a T3 to internet for data and voice. There is a firewall with 3 interfaces, inside, outside, dmz1, and dmz2. There are CAT 3560 PoE switches and they connect to inside interface of the firewall in building A. The DMZ1 interface of the firewall is connected to a 3500xl. So, basically only building A can use this switch. We would like to retire this switch and we would like to have building B able to use the DMZ1 network as well. All traffic inside or dmz1 should go over the fiber between buildings.

So, my question is is possible to vlan a few ports on the CAT 3560 PoE on building A for DMZ1 and connect it to the DMZ1 of the firewall and then configure a few ports on CAT 3570 PoE for DMZ1 so we can have access to it on building B. I know it has to do something trunking on port 48 of the CAT3560 on building A and port 1 of CAT 3750 on building B.

Thanks advance for your time. if you have sample config that would be great.

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Mon, 04/21/2008 - 16:01

Yes, you can do that. You would have to configure the firewall rules, ACL & NAT, for Building B (DMZ1) to send any traffic to inside and other zones through the firewall.

If I am understanding you correct you want to use the same 3560 switch to connect inside users and Building B connection. You can do this by putting the Building B connection in a separate VLAN in which DMZ1 of the firewall would reside. I don't know what your LAN setup looks like but you may need trunk(s) if multiple VLANs exists between switches.

A good security design recommendation is to use separate physical equipment for the different zones of a firewall. However, in your case I assume Building B is part of your trusted domain and you just want the traffic to flow through the firewall to setup some rules with access for Building B users it's OK to do it the way you suggested.

HTH

Sundar

speedingwolfids Mon, 04/21/2008 - 19:42

Thank you Sundar for your respond. I greatly appreciated it.

I think i'm a bit wordy since I haven't done this before. Bascially, building A and B are on the same subnet (192.168.100.x) and on the same vlan 1. The physical link between these buildings is a fiber 10GB that we paid service monthly. This is a secured link because A building was our data center. The new B building is going to be our new data center. Our internet router and firewall are on building A because it is still our main demarc point. We just want to move servers over.

Business requirement is that visitors on building B have access to the internet in an isolate network separate from our production network.

I think the solution is I would like to create a Vlan2 (4 ports) on the CAT 3560 in building A. Then connect the firewall dmz1 port to this vlan2. Then, create a Vlan2 on the CAT 3570 (4 ports) on B buidling. However, I am not sure how to allow traffic VLAN1 and VLAN2 to ride over the 10GB link between building. Is this call trunking multiple vlans?

BLD A BLD B

CAT3560-----10GB FC---CAT3570

vlan1 vlan1

vlan2 vlan2

vlan1 secure network

vlan2 visitor network connect to firewall interface dmz1.

I hope this is more clear than my previous post.

bvsnarayana03 Mon, 04/21/2008 - 21:20

from the topology given by u, i understand that vlan1 & vlan2 are spanned across switches in the 2 buildings. there has to be a trunk configured on ports of both switches conncted to 10g fiber link.

speedingwolfids Mon, 04/21/2008 - 22:09

Thank you Narayana for your respond. I haven't had access to the config yet but I would like to anticipate it since this is something i would like to do research in advance. Can you just put an SC fiber cable between 2 switches without trunking and they will "talk" to each other? meaning all vlan1 and 2. Assuming trunking is configured, what additional steps should i be looking into?

Thanks

Actions

This Discussion