Help required for setting up vlan

syed · ‎02-20-2012

Hi Friends, I need some help regarding VLANs. Here is my scenarion:

A fiber connection from ISP is coming to a switch supplied by ISP, so only 1 port is active on it. That 1 port is connected to our firewall and then from firewall we have connections to our core swtiches. Now i need to hookup 2 servers outside firewall. I don't want to go via firewall by mapping public IP with private IP in firewall. I just want them outside DMZ. So i put a new cisco switch between firewall and isp switch. So that 1 active port from isp switch is now coming directly to new cisco 8 port switch ( i call it distribution switch) and then from distribution switch 1 connection is going to firewall and then from firewall to core switches.

So now i have a distribution switch between isp switch and firewall. I want to assign it a private ip so that i can access it from inside network on web interface. So i took 1 connection from our core switch port 24 and connect it to port 5 of distribution switch. Now i am stuck here. I don't know what type of vlan should i create, trunk mode or access and should the port 24 on core switch and port 5 on distribution switch be tagged or untagged and should they be forbidden in default vlan ?

Kindly see the attached pic if it help.

Can you guys please help ? Thank YOUUUU!

fb_webuser · ‎02-20-2012

You need to configure one VLAN for the DMZ with ports for the router, firewall, and the two servers. Them make a management VLAN on another port attached to the internal network and assign an IP to that VLAN.

IMPORTANT: If vans and/or STP are in use on your internal network you need to be very careful that your vans match and your root switch is configured or you will break things.

I usually set up a completly separate VLAN for all the switch management interfaces. If you do this then you would connect the new switch to the internal network with a trunk link and again just assign an IP to the management VLAN.

In this case you must use

switchport trunk allowed vlan x

on both ends for added security.

---

Posted by WebUser Stuart Gall

syed · ‎02-21-2012

Thanks for quick reply! Can we be more specific, will help me to understand your response more better.

ISP Switch : Port 1 -----> Port 1 Distribution Switch

Dist. Switch: Port 2 -----> Port 1 Firewall

Firewall : Port 2 -------> Port 1 Core Switch

Core Switch: Port 24 -------> Port 8 Dist. Switch

On distribution switch i just want that port 8 to be connected to internal network. Rest 7 ports will be on outside DMZ.

Now can you please explain little bit more specificaly ? Thanks for your help!

The_guroo_2 · ‎02-21-2012

Hi Irfan

Why would you put your servers facing to the internet......i would cross out this approach as this is not recommended solution....why wpuld you put your servers attached to internet router/swicth...what these servers areused for whom it will cater......now if you want to do that its preety easy..........go to dis swicth and make a vlan say vlan 10...layer 2........now conectg the ISP swicth to the distribution swicth and ask the ISP guys to put that port in vlan 10 as well layer two (tif you cant do that then ues vlan 1 by default. So this is step 1 now your isp conection is woking wihout any issue (you ave to put firewall port in vlan 10or 1 as well)

now in order to do managment just make a layer 3 vlan say vlan 60 and add ip of 192.168.1.1/24 and in your firewall add a static route in your core and firewll pointing towards outside interface ..........done deal