topic Re: Configuring a server on a DMZ with Cisco 3020 Switches in BladeSystem - General

Configuring a server on a DMZ with Cisco 3020 Switches

Brett Sadler — Wed, 29 Apr 2009 18:12:26 GMT

Hello,

We are needing to migrate our BusinessObjects server and Web server, which our in the DMZ on the public side, over to our c7000 enclosure. We currently have 10 blades in the system with 2 Cisco 3020 switches in IC Bay 1 and IC Bay 2. 6 of the switch ports (Gi0/17-22) on each 3020 are EC Trunked to our backbone HP 2824 switches. I'm thinking I'm needing a way for Internal switch ports Gi0/6 & Gi0/14 (representing the bays the new servers are going to be put into) to connect/pass-thru to the external Gi0/23 or Gi0/24 ports directly. This is so I can connect that physical port to our already configured DMZ ports on the HP 2824s. This is the most simplistic way I can think of to use our DMZ servers in our Blade enclosure. If I'm completely going in the wrong direction I apologize in advance. Thanks in advance for any assistance you can provide!

Re: Configuring a server on a DMZ with Cisco 3020 Switches

HEM_2 — Wed, 29 Apr 2009 19:03:07 GMT

Brett:

what you are describing above is completely possible by creating a separate VLAN on your 3020s for the DMZ traffic.

For a simple config just add the "switchport access vlan x" command to each interface you want in the DMZ (where x is a unique VLAN id).

example:

interface GigabitEthernet0/6
switchport access vlan 99

interface GigabitEthernet0/14
switchport access vlan 99

interface GigabitEthernet0/23
switchport access vlan 99

interface GigabitEthernet0/24
switchport access vlan 99

Re: Configuring a server on a DMZ with Cisco 3020 Switches

Brett Sadler — Wed, 29 Apr 2009 19:05:10 GMT

So if the DMZ VLAN on the HP 2824 switch is 4 then I should make the switchports on the 3020s all part of VLAN 4 and then they should be able to work just fine? Or does the VLAN chosen on the Cisco side of things not matter? Thanks again so much!

Re: Configuring a server on a DMZ with Cisco 3020 Switches

HEM_2 — Wed, 29 Apr 2009 20:42:44 GMT

if the traffic between the 3020 and the 2824 is untagged then the VLAN ID doesn't have to match (because the tag is not carried in the ethernet frames) but if you are tagging the frames then the VLAN ID would need to match.

The sample config I showed above would send untagged frames to the 2824 on gi0/23 or 24.

For ease of administration I would recommend using the same VLAN ID. That way if you migrate to VLAN tagging later, it is easier.

Re: Configuring a server on a DMZ with Cisco 3020 Switches

Brett Sadler — Wed, 10 Jun 2009 20:12:49 GMT

So I've configured as you suggested for the below ports. g0/7 is the Blade I want in our DMZ and g0/24 is the physical port that is connected to our untagged DMZ port on our HP 2824 switch. VLAN 4 is the VLAN on both sides incase we ever turn on tagging. I can't get ANY type of access out from the blade. It seems that the HP is showing the connection from the Cisco, but i'm stumped...

Current configuration : 2722 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname al-blsw1
!
boot-start-marker
boot-end-marker
!
enable password **********
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface Port-channel5
switchport mode trunk
!
interface FastEthernet0
ip address dhcp
no ip route-cache
no ip mroute-cache
!
interface GigabitEthernet0/1
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/2
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/3
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/4
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/5
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/6
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/7
switchport access vlan 4
switchport mode access
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/8
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/9
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/10
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/11
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/12
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/13
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/14
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/15
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/16
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/17
description 2428-1(port 17)
switchport mode trunk
channel-group 5 mode on
!
interface GigabitEthernet0/18
description 2428-1(port 18)
switchport mode trunk
channel-group 5 mode on
!
interface GigabitEthernet0/19
description 2428-1(port 15)
switchport mode trunk
channel-group 5 mode on
!
interface GigabitEthernet0/20
description 2428-1(port 16)
switchport mode trunk
channel-group 5 mode on
!
interface GigabitEthernet0/21
description 2428-1(port 1)
switchport mode trunk
channel-group 5 mode on
!
interface GigabitEthernet0/22
description 2428-1(port 6)
switchport mode trunk
channel-group 5 mode on
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
switchport access vlan 4
switchport mode access
!
interface Vlan1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.96 254
ip route 0.0.0.0 0.0.0.0 192.168.1.96 254
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
exec-timeout 90 0
password **********
login
line vty 5 15
login
!
end

Re: Configuring a server on a DMZ with Cisco 3020 Switches

HEM_2 — Wed, 10 Jun 2009 20:46:41 GMT

you have swithport trunk configured on your port channel. By default Cisco sends all vlans on a trunk. Therefore it is sending vlan 4 on the port channel as well.

Normally this would still work but I would recommend doing a "show spanning-tree" on the 3020 to see whether port g0/24 is blocking or forwarding.

I would add the command "switchport trunk allowed vlan 1" (and any other vlans you want on the trunk EXCEPT for VLAN 4) on the port channel interface.