Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
16
Helpful
6
Replies

vlan design help

dan_track
Level 1
Level 1

‎06-06-2006 04:47 AM - edited ‎03-03-2019 03:31 AM

Hi

I have a new switch and am in the process of configuring it. The switch will be used for servers in the DMZ. My issue is should I configure all the vlans in my current environment to be included in this switch, or just those related to those in the dmz.

If it is the later, how would trunking work? how would I be able to forward traffic from other vlans on the trunk if the switch only know about the DMZ vlans?

Thanks for your help

Dan

Labels:
0 Helpful
6 Replies 6

gpulos
Level 8
Level 8

‎06-06-2006 04:52 AM

there should be no need to configure the new DMZ switch with any other VLANs than a single DMZ vlan.

you can setup routing either on that switch if it is L3 or on a router inside the network to the DMZ.

also, if this is a true DMZ, it would be behind a firewall interface. is this the case?

dan_track
Level 1
Level 1
In response to gpulos

‎06-06-2006 05:25 AM

Hi

Thanks everyone for your replies. I'm kind of new to the networking field, so creating a secure policy isn't my expertise, but I'm trying though.

Currently all the switches, even the old switch with the DMZ servers in it, are connected to each other via fibre links, which create a redundant loop.

From what I can understand from what you have said is that I should not put this new switch in the loop, but have it sit by itself. So if it wanted to access the firewall (pix 515e), which is sitting on another switch I would have to have an ethernet connection between my new switch and the firewall switch, as there aren't any free fibre ports on teh firewall switch. Am I right or is there a better way of designing it?

Thanks in advance

Dan

0 Helpful

eric_chan
Level 1
Level 1
In response to dan_track

‎06-06-2006 06:40 AM

You probably don't want to define any more vlan than you need.. then the switch won't to spend the resource to keep track of the spanning tree topology of the extra VLANs.

You might want to keep the VLAN number unique from the rest of the network in case you need to extend the DMZ VLAN to somewhere else in the network .. ..

devang_etcom
Level 7
Level 7
In response to dan_track

‎06-06-2006 07:48 AM

hi dan,

so now you are not having port to connect the switch with fiber ...and you have to go for the ethernet connection right...now what you want exactly...

regards

Devang

0 Helpful

daniel.bowen
Level 1
Level 1

‎06-06-2006 04:54 AM

Hi Dan,

If it is a DMZ switch then you should keep it seperate from the rest of your network. It doesnt really matter what VLANs it can see, but you do not want multiple VLANs configured as access ports on the switch. You also do not want to manage the switch, so do not give it an IP address. Having an IP address on an external switch makes it vulnerable from attack.

HTH,

Dan

devang_etcom
Level 7
Level 7

‎06-06-2006 04:59 AM

hi DAN,

if you are going to add this new switch for DMZ servers and not going to use for the other purpose then you should only configure the switch related to the VLANs of the DMZ...and after all it all depends on your requirement...and you are talking about trunking then with which switch you are going to connect it means connectivity of network and your VLAN requirement is also taking big part in designing

regards

Devang

Customers Also Viewed These Support Documents