01-22-2009 07:37 AM - edited 03-06-2019 03:35 AM
We have a customer with a pretty big network, lots of internet users and pretty huge servers getting requests from all over the world.
I have attached a demo of the network.
they have a cisco 6500 chasis acting as gateway for about 40 Vlans. each Vlan corresponds to one department.
Each department maintains its own Server hardware and software and each department is say a mile away from the other. It;s its not feasible to get all the servers to one place and put them in a DMZ.
the 6500 has a default route to the ASA where all the NAt and firewalling is done.
I want to isolate the servers and users, as a hacked server can cause problem to users and malicious users inside the campus can attack the servers.
Could any one suggest how i can proceed.
thanks in advance.
01-22-2009 08:20 AM
Victor-
You could easily put all of the servers in a seperate VLAN and have that correspond to a DMZ. On each L2 switch, create another VLAN, say VLAN5, for the servers. for the switchports that correspond to the servers set them to:
switchport mode access
switchport access vlan 5
Then trunk the uplinks to the 6500 -
switchport trunk encap dot1q
switchport trunk allowed vlan x,5 (where x is the existing user vlan and 5 is the server vlan)
switchport mode trunk
The corresponding ports on the 6500 will also need to be trunked the same way. Finally, on the link from your 6500 to the ASA, trunk all of these vlans, so allow, for example, vlan 1,2,3,4,5 to go on that trunk.
switchport trunk encap dot1q
switchport trunk allowed vlan 1-5
switchport mode trunk
At the ASA create subinterfaces for each vlan, and make the subinterface for vlan 5 a DMZ. For example:
interface Ethernet2
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet2.1
vlan 1
nameif USERS
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2.2
vlan 2
nameif USERS2
security-level 100
ip address 192.168.2.1 255.255.255.0
.
.
.
interface Ethernet2.5
vlan 5
nameif SERVER_DMZ
security-level 50
ip-address 10.0.0.1 255.255.255.0
HTH,
Paul
01-22-2009 09:01 AM
I do have this in mind but.
In this case the gateway for the users or servers would be the sub-interface on the ASA, And if i am correct inter-vlan routing would be done by the ASA in this case.
How efficient is the ASA in doing Intervlan routing? Maximum throughput of the ASA 5510 we use being 300 mbps which is far less then the throughput in gigabits that a 6500 can provide.
any corrections???
01-22-2009 09:14 AM
Victor-
You are indeed correct. Alternately, you could do all of the inter-vlan routing on the 6500 and set up acls for access to the server vlan.
Regards,
Paul
01-22-2009 09:02 PM
yep, thats there. thanks anyway. i'll try to think for some more time and see if there is anything other than this that can be done.
plz do mention if something else comes to your mind.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: