Server and Users all in one segment

Unanswered Question
Jan 22nd, 2009

We have a customer with a pretty big network, lots of internet users and pretty huge servers getting requests from all over the world.

I have attached a demo of the network.

they have a cisco 6500 chasis acting as gateway for about 40 Vlans. each Vlan corresponds to one department.

Each department maintains its own Server hardware and software and each department is say a mile away from the other. It;s its not feasible to get all the servers to one place and put them in a DMZ.

the 6500 has a default route to the ASA where all the NAt and firewalling is done.

I want to isolate the servers and users, as a hacked server can cause problem to users and malicious users inside the campus can attack the servers.

Could any one suggest how i can proceed.

thanks in advance.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
pstebner10 Thu, 01/22/2009 - 08:20

Victor-

You could easily put all of the servers in a seperate VLAN and have that correspond to a DMZ. On each L2 switch, create another VLAN, say VLAN5, for the servers. for the switchports that correspond to the servers set them to:

switchport mode access

switchport access vlan 5

Then trunk the uplinks to the 6500 -

switchport trunk encap dot1q

switchport trunk allowed vlan x,5 (where x is the existing user vlan and 5 is the server vlan)

switchport mode trunk

The corresponding ports on the 6500 will also need to be trunked the same way. Finally, on the link from your 6500 to the ASA, trunk all of these vlans, so allow, for example, vlan 1,2,3,4,5 to go on that trunk.

switchport trunk encap dot1q

switchport trunk allowed vlan 1-5

switchport mode trunk

At the ASA create subinterfaces for each vlan, and make the subinterface for vlan 5 a DMZ. For example:

interface Ethernet2

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet2.1

vlan 1

nameif USERS

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2.2

vlan 2

nameif USERS2

security-level 100

ip address 192.168.2.1 255.255.255.0

.

.

.

interface Ethernet2.5

vlan 5

nameif SERVER_DMZ

security-level 50

ip-address 10.0.0.1 255.255.255.0

HTH,

Paul

victor_87 Thu, 01/22/2009 - 09:01

I do have this in mind but.

In this case the gateway for the users or servers would be the sub-interface on the ASA, And if i am correct inter-vlan routing would be done by the ASA in this case.

How efficient is the ASA in doing Intervlan routing? Maximum throughput of the ASA 5510 we use being 300 mbps which is far less then the throughput in gigabits that a 6500 can provide.

any corrections???

pstebner10 Thu, 01/22/2009 - 09:14

Victor-

You are indeed correct. Alternately, you could do all of the inter-vlan routing on the 6500 and set up acls for access to the server vlan.

Regards,

Paul

victor_87 Thu, 01/22/2009 - 21:02

yep, thats there. thanks anyway. i'll try to think for some more time and see if there is anything other than this that can be done.

plz do mention if something else comes to your mind.

Actions

This Discussion