Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
369
Views
3
Helpful
4
Replies

Server and Users all in one segment

victor_87
Level 1
Level 1

‎01-22-2009 07:37 AM - edited ‎03-06-2019 03:35 AM

We have a customer with a pretty big network, lots of internet users and pretty huge servers getting requests from all over the world.

I have attached a demo of the network.

they have a cisco 6500 chasis acting as gateway for about 40 Vlans. each Vlan corresponds to one department.

Each department maintains its own Server hardware and software and each department is say a mile away from the other. It;s its not feasible to get all the servers to one place and put them in a DMZ.

the 6500 has a default route to the ASA where all the NAt and firewalling is done.

I want to isolate the servers and users, as a hacked server can cause problem to users and malicious users inside the campus can attack the servers.

Could any one suggest how i can proceed.

thanks in advance.

Labels:
Preview file
34 KB
0 Helpful
4 Replies 4

pstebner10
Level 1
Level 1

‎01-22-2009 08:20 AM

Victor-

You could easily put all of the servers in a seperate VLAN and have that correspond to a DMZ. On each L2 switch, create another VLAN, say VLAN5, for the servers. for the switchports that correspond to the servers set them to:

switchport mode access

switchport access vlan 5

Then trunk the uplinks to the 6500 -

switchport trunk encap dot1q

switchport trunk allowed vlan x,5 (where x is the existing user vlan and 5 is the server vlan)

switchport mode trunk

The corresponding ports on the 6500 will also need to be trunked the same way. Finally, on the link from your 6500 to the ASA, trunk all of these vlans, so allow, for example, vlan 1,2,3,4,5 to go on that trunk.

switchport trunk encap dot1q

switchport trunk allowed vlan 1-5

switchport mode trunk

At the ASA create subinterfaces for each vlan, and make the subinterface for vlan 5 a DMZ. For example:

interface Ethernet2

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet2.1

vlan 1

nameif USERS

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2.2

vlan 2

nameif USERS2

security-level 100

ip address 192.168.2.1 255.255.255.0

.

.

.

interface Ethernet2.5

vlan 5

nameif SERVER_DMZ

security-level 50

ip-address 10.0.0.1 255.255.255.0

HTH,

Paul

0 Helpful

victor_87
Level 1
Level 1
In response to pstebner10

‎01-22-2009 09:01 AM

I do have this in mind but.

In this case the gateway for the users or servers would be the sub-interface on the ASA, And if i am correct inter-vlan routing would be done by the ASA in this case.

How efficient is the ASA in doing Intervlan routing? Maximum throughput of the ASA 5510 we use being 300 mbps which is far less then the throughput in gigabits that a 6500 can provide.

any corrections???

0 Helpful

pstebner10
Level 1
Level 1
In response to victor_87

‎01-22-2009 09:14 AM

Victor-

You are indeed correct. Alternately, you could do all of the inter-vlan routing on the 6500 and set up acls for access to the server vlan.

Regards,

Paul

victor_87
Level 1
Level 1
In response to pstebner10

‎01-22-2009 09:02 PM

yep, thats there. thanks anyway. i'll try to think for some more time and see if there is anything other than this that can be done.

plz do mention if something else comes to your mind.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card