- Community Home
- >
- Servers and Operating Systems
- >
- HPE BladeSystem
- >
- BladeSystem - General
- >
- Re: DMZ isolation within enclosure
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2013 06:18 AM
07-26-2013 06:18 AM
DMZ isolation within enclosure
Duane had some DMZ location on servers questions:
***************
I have a customer considering a deployment of BladeSystem technology (c3000 + BL4xx blades) where they will require a private LAN infrastructure as well as DMZ for external connectivity. We’re trying to get them to consider VC, but right now they are insisting on 6125XG and Brocade switches for interconnects.
I’ve seen some discussions in the past addressing the isolation concern of having the DMZ servers in the same enclosure as other non-DMZ servers. Anyone have any definitive pros/cons of putting the DMZ blade(s) in the same enclosure, vs deploying externally? Easy solution would be just to deploy the DMZ as DL380.
************
Dan advised:
************
I usually boil this down to 3 things.
1) VC is Layer 2 only so any routing will be done outside, where they likely want it.
2) With Network Access Groups in VC, we can make it so a DMZ Blade and a Prod Blade never have access to the same VLANs, whether those came in on a single SUS or Multiple SUS
3) With Private mode on, and proper use of PVLAN outside the enclosure, they can prevent even Blade to Blade communication on a per VLAN basis.
Storage side is easy. You just create 2 different sets of SAN Fabrics and they never share resources. Doesn’t mean you can’t put a DMZ Server on the wrong SAN Fabric accidentally, but going Brocade doesn’t prevent accidents either.
*************
Other comments or suggestions?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2013 08:10 AM
07-26-2013 08:10 AM
Re: DMZ isolation within enclosure
Input from Pedro:
******************
In my opinion, for this kind of solution, the main advantage of VC over switch is that with 2 separate SUS on VC, it creates 2 completely isolated network segments.
With a switch implementation you will always need a common VLAN and Spanning tree instance that will connect both LAN segments (DMZ and Internal LAN). If DMZ is physically separated from the LAN, this can be a big issue not only in terms of security but also in terms of network topology and STP convergence.
********************