Currently in our data center, we have a Cisco 6513 as the core ,a single Dell m1000e blade center containing a pair of Cisco 3130G switches, and a pair of Cat 3550 switches for the DMZ (plus a load of other stuff not needing to be mentioned here). The 6513 and the DMZ 3550 switches are separated by a PIX firewall. The blade center 3130G switches are trunked back to the 6513 via a 4Gb etherchannel using the copper ports. The 6513 is the VTP server and the 3130G switches are VTP clients in the same domain. The Cat 3550 switches in the DMZ are VTP servers for the DMZ domain (see "Blade Center Switch-Current.jpg" for topology).
The server guys are looking to add a second Dell m1000e blade center chassis to the data center and are asking if they can have some ports/blades (not an entire switch within the Dell m1000e chassis) in the DMZ and the rest of the ports/blades in the internal VLANs.
I figured this may be a good time to redo a few things and have some questions.
1- I was thinking of connecting the new Dell m1000e blade center chassis to the current Dell m1000e blade center via stackwise cables for better throughput and less of a possibility for spanning-tree considerations. Does this sound like the best approach?
2- As far having some ports/blades to be available for the DMZ as well as the internal network, is it possible to make a trunk from the DMZ to one or two of the 3130G switches and not compromise security?
3- Since the DMZ servers are the VTP servers for the DMZ domain and the 6513 is the VTP server for the internal network, what is a good way to deal with that? Do I need to make the 3550 and/or the 3130G switches VTP transparent?
1) Not familiar with the Dell blades so not sure i can help much with their connectivity to the core. What strikes me from your proposed diagram is that if the 4Gb etherchannel from the right-hand blade centre fails then you have lost all servers to the core. Perhaps a second etherchannel from the left-hand blade centre to the core ? You could load-balance the vlans by using 1 of the 4gb etherchannels for odd vlans and 1 for evens by manipulating the STP root/secondary. But like i say not really familiar with Dell's.
2) Yes it is possible. As for security, well physical separation is always best but i have seen a number of designs that use chassis based designs where internal and DMZ vlans are on the same switch(es). Attached is a link to a white paper on vlan security. Worth a read for your proposed solution, come back if you have more questions -
I was thinking about another etherchannel back to the core in case the 1st one fails. I figured it may cause some spanning-tree concerns but I'm now see that it's better to address STP as compared to having the single point of failure.
As far as the VTP transparent config... I should be doing that on the DMZ switches in addition to the blade center switches? I was thinking I need to keep the blade center switches as VTP clients but not positive.
It doesn't help too that we've got VLAN 1 as a main vlan for production servers/network devices in both the 6513 AND the DMZ! A nagging issue rearing it's head here I feel. I'm thinking I need to address that as well so there is no confusion as to what gets trunked where. I'm thinking I need to change the DMZ to something like VLAN 100 and then just trunk that vlan down to the blade center switches but not positive.
Thanks again for the feedback. Greatly appreciated.
"As far as the VTP transparent config... I should be doing that on the DMZ switches in addition to the blade center switches?"
Personally i would do it on the DMZ switches and the blade switches that share vlans with the DMZ. As i say, if all the switches in your DC are included in your diagram then VTP transparent for all of them would be my choice.
"It doesn't help too that we've got VLAN 1 as a main vlan for production servers/network devices in both the 6513 AND the DMZ!"
You really need to get this changed both from the DMZ perspective and the DC perspective but first concentrate on DMZ switches. You don't want vlan 1 being used for anything on the DMZ switches, not management, not the native vlan.
If you have a look at that link i sent you'll see there are special considerations needed for vlan 1.
"I'm thinking I need to change the DMZ to something like VLAN 100 and then just trunk that vlan down to the blade center switches but not positive"
As mentioned get rid of vlan 1. However if the DMZ only contains 1 vlan and you are happy to manage the switch with an IP from that vlan then you don't need a trunk back to the blade switches and if you don't need a trunk VTP is not an issue. You can simply make the connection an access port connection in the DMZ vlan.
If you do need multiple vlans from the DMZ then yes you will need a trunk but again avoid vlan 1 for either data or management.
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts The ProblemOn traditional
switches whenever we have a trunk interface we use the VLAN tag to
demultiplex the VLANs. The switch needs to determine which MAC ...
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts Introduction: Netdr is a tool
available on a RSP720, Sup720 or Sup32 that allows one to capture
packets on the RP or SP inband. The netdr command can be use...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...