Dell Blade Center and VLAN connections

priedman1 · ‎04-10-2009

Hello Everyone,

Currently in our data center, we have a Cisco 6513 as the core ,a single Dell m1000e blade center containing a pair of Cisco 3130G switches, and a pair of Cat 3550 switches for the DMZ (plus a load of other stuff not needing to be mentioned here). The 6513 and the DMZ 3550 switches are separated by a PIX firewall. The blade center 3130G switches are trunked back to the 6513 via a 4Gb etherchannel using the copper ports. The 6513 is the VTP server and the 3130G switches are VTP clients in the same domain. The Cat 3550 switches in the DMZ are VTP servers for the DMZ domain (see "Blade Center Switch-Current.jpg" for topology).

The server guys are looking to add a second Dell m1000e blade center chassis to the data center and are asking if they can have some ports/blades (not an entire switch within the Dell m1000e chassis) in the DMZ and the rest of the ports/blades in the internal VLANs.

I figured this may be a good time to redo a few things and have some questions.

1- I was thinking of connecting the new Dell m1000e blade center chassis to the current Dell m1000e blade center via stackwise cables for better throughput and less of a possibility for spanning-tree considerations. Does this sound like the best approach?

2- As far having some ports/blades to be available for the DMZ as well as the internal network, is it possible to make a trunk from the DMZ to one or two of the 3130G switches and not compromise security?

3- Since the DMZ servers are the VTP servers for the DMZ domain and the 6513 is the VTP server for the internal network, what is a good way to deal with that? Do I need to make the 3550 and/or the 3130G switches VTP transparent?

Thanks for the advice in advance.

Pete

Jon Marshall · ‎04-10-2009

Pete

1) Not familiar with the Dell blades so not sure i can help much with their connectivity to the core. What strikes me from your proposed diagram is that if the 4Gb etherchannel from the right-hand blade centre fails then you have lost all servers to the core. Perhaps a second etherchannel from the left-hand blade centre to the core ? You could load-balance the vlans by using 1 of the 4gb etherchannels for odd vlans and 1 for evens by manipulating the STP root/secondary. But like i say not really familiar with Dell's.

2) Yes it is possible. As for security, well physical separation is always best but i have seen a number of designs that use chassis based designs where internal and DMZ vlans are on the same switch(es). Attached is a link to a white paper on vlan security. Worth a read for your proposed solution, come back if you have more questions -

https://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

3) It really depends on the amount of switches in total you have in your data centre. Personally if possible i would go with VTP transparent, definitely on your DMZ switches if not your core switches.

Jon

priedman1 · ‎04-10-2009

Hi Jon,

Thanks for the insight.

I was thinking about another etherchannel back to the core in case the 1st one fails. I figured it may cause some spanning-tree concerns but I'm now see that it's better to address STP as compared to having the single point of failure.

As far as the VTP transparent config... I should be doing that on the DMZ switches in addition to the blade center switches? I was thinking I need to keep the blade center switches as VTP clients but not positive.

It doesn't help too that we've got VLAN 1 as a main vlan for production servers/network devices in both the 6513 AND the DMZ! A nagging issue rearing it's head here I feel. I'm thinking I need to address that as well so there is no confusion as to what gets trunked where. I'm thinking I need to change the DMZ to something like VLAN 100 and then just trunk that vlan down to the blade center switches but not positive.

Thanks again for the feedback. Greatly appreciated.

Regards

Pete

Jon Marshall · ‎04-11-2009

Pete

"As far as the VTP transparent config... I should be doing that on the DMZ switches in addition to the blade center switches?"

Personally i would do it on the DMZ switches and the blade switches that share vlans with the DMZ. As i say, if all the switches in your DC are included in your diagram then VTP transparent for all of them would be my choice.

"It doesn't help too that we've got VLAN 1 as a main vlan for production servers/network devices in both the 6513 AND the DMZ!"

You really need to get this changed both from the DMZ perspective and the DC perspective but first concentrate on DMZ switches. You don't want vlan 1 being used for anything on the DMZ switches, not management, not the native vlan.

If you have a look at that link i sent you'll see there are special considerations needed for vlan 1.

"I'm thinking I need to change the DMZ to something like VLAN 100 and then just trunk that vlan down to the blade center switches but not positive"

As mentioned get rid of vlan 1. However if the DMZ only contains 1 vlan and you are happy to manage the switch with an IP from that vlan then you don't need a trunk back to the blade switches and if you don't need a trunk VTP is not an issue. You can simply make the connection an access port connection in the DMZ vlan.

If you do need multiple vlans from the DMZ then yes you will need a trunk but again avoid vlan 1 for either data or management.

Jon

priedman1 · ‎04-13-2009

Thanks Jon

I had a feeling things were going to be more complicated than just hooking up this new blade center chassis.

Much appreciate.

Pete