04-21-2008 02:57 PM - edited 03-05-2019 10:31 PM
Hi All,
We have two buildings A and B next to each other running 10gb fiber (ATT) between them. Building A CAT 3560 connects to building B CAT 3570 over this fiber cable. Building A has a T3 to internet for data and voice. There is a firewall with 3 interfaces, inside, outside, dmz1, and dmz2. There are CAT 3560 PoE switches and they connect to inside interface of the firewall in building A. The DMZ1 interface of the firewall is connected to a 3500xl. So, basically only building A can use this switch. We would like to retire this switch and we would like to have building B able to use the DMZ1 network as well. All traffic inside or dmz1 should go over the fiber between buildings.
So, my question is is possible to vlan a few ports on the CAT 3560 PoE on building A for DMZ1 and connect it to the DMZ1 of the firewall and then configure a few ports on CAT 3570 PoE for DMZ1 so we can have access to it on building B. I know it has to do something trunking on port 48 of the CAT3560 on building A and port 1 of CAT 3750 on building B.
Thanks advance for your time. if you have sample config that would be great.
Thanks,
04-21-2008 04:01 PM
Yes, you can do that. You would have to configure the firewall rules, ACL & NAT, for Building B (DMZ1) to send any traffic to inside and other zones through the firewall.
If I am understanding you correct you want to use the same 3560 switch to connect inside users and Building B connection. You can do this by putting the Building B connection in a separate VLAN in which DMZ1 of the firewall would reside. I don't know what your LAN setup looks like but you may need trunk(s) if multiple VLANs exists between switches.
A good security design recommendation is to use separate physical equipment for the different zones of a firewall. However, in your case I assume Building B is part of your trusted domain and you just want the traffic to flow through the firewall to setup some rules with access for Building B users it's OK to do it the way you suggested.
HTH
Sundar
04-21-2008 07:42 PM
Thank you Sundar for your respond. I greatly appreciated it.
I think i'm a bit wordy since I haven't done this before. Bascially, building A and B are on the same subnet (192.168.100.x) and on the same vlan 1. The physical link between these buildings is a fiber 10GB that we paid service monthly. This is a secured link because A building was our data center. The new B building is going to be our new data center. Our internet router and firewall are on building A because it is still our main demarc point. We just want to move servers over.
Business requirement is that visitors on building B have access to the internet in an isolate network separate from our production network.
I think the solution is I would like to create a Vlan2 (4 ports) on the CAT 3560 in building A. Then connect the firewall dmz1 port to this vlan2. Then, create a Vlan2 on the CAT 3570 (4 ports) on B buidling. However, I am not sure how to allow traffic VLAN1 and VLAN2 to ride over the 10GB link between building. Is this call trunking multiple vlans?
BLD A BLD B
CAT3560-----10GB FC---CAT3570
vlan1 vlan1
vlan2 vlan2
vlan1 secure network
vlan2 visitor network connect to firewall interface dmz1.
I hope this is more clear than my previous post.
04-21-2008 09:20 PM
from the topology given by u, i understand that vlan1 & vlan2 are spanned across switches in the 2 buildings. there has to be a trunk configured on ports of both switches conncted to 10g fiber link.
04-21-2008 10:09 PM
Thank you Narayana for your respond. I haven't had access to the config yet but I would like to anticipate it since this is something i would like to do research in advance. Can you just put an SC fiber cable between 2 switches without trunking and they will "talk" to each other? meaning all vlan1 and 2. Assuming trunking is configured, what additional steps should i be looking into?
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: