HPE Community
BladeSystem - General
1752564 Members
4051 Online
108788 Solutions
New Discussion

Re: DMZ isolation within enclosure

 
chuckk281
Trusted Contributor

‎07-26-2013 06:18 AM

‎07-26-2013 06:18 AM

DMZ isolation within enclosure

Duane had some DMZ location on servers questions:

 

***************

 

I have a customer considering a deployment of BladeSystem technology (c3000 + BL4xx blades) where they will require a private LAN infrastructure as well as DMZ for external connectivity.  We’re trying to get them to consider VC, but right now they are insisting on 6125XG and Brocade switches for interconnects.

 

I’ve seen some discussions in the past addressing the isolation concern of having the DMZ servers in the same enclosure as other non-DMZ servers.   Anyone have any definitive pros/cons of putting the DMZ blade(s) in the same enclosure, vs deploying externally?   Easy solution would be just to deploy the DMZ as DL380.

 

************

 

Dan advised:

 

************

 

I usually boil this down to 3 things.

1)      VC is Layer 2 only so any routing will be done outside, where they likely want it.

2)      With Network Access Groups in VC, we can make it so a DMZ Blade and a Prod Blade never have access to the same VLANs, whether those came in on a single SUS or Multiple SUS

3)      With Private mode on, and proper use of PVLAN outside the enclosure, they can prevent even Blade to Blade communication on a per VLAN basis.

 

Storage side is easy.  You just create 2 different sets of SAN Fabrics and they never share resources.  Doesn’t mean you can’t put a DMZ Server on the wrong SAN Fabric accidentally, but going Brocade doesn’t prevent accidents either.

 

*************

 

Other comments or suggestions?

 

 

0 Kudos
Reply
1 REPLY 1
chuckk281
Trusted Contributor

‎07-26-2013 08:10 AM

‎07-26-2013 08:10 AM

Re: DMZ isolation within enclosure

Input from Pedro:

 

******************

 

In my opinion, for this kind of solution, the main advantage of VC over switch is that with 2 separate SUS on VC, it creates 2 completely isolated network segments.

With a switch implementation you will always need a common VLAN and Spanning tree instance that will connect both LAN segments (DMZ and Internal LAN). If DMZ is physically separated from the LAN, this can be a big issue not only in terms of security but also in terms of network topology and STP convergence.

 

********************

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.