HPE Community
Aruba & ProVision-based
1752585 Members
4101 Online
108788 Solutions
New Discussion

DMZ over a trunk

 
Filippo Dareggi
Occasional Contributor

‎02-18-2013 03:57 AM

‎02-18-2013 03:57 AM

DMZ over a trunk

Hi all.

 

I need to connect a DMZ on a firewall over a fiber channel link between two switches ( J9280A, J9279A ).

 

This is the topology:

 

DMZ: VLAN ID 100

 

J9280A, Port 44 attached to my server

 

J9279A, Port 22 attacched to DMZ port on firewall

 

FiberChannel link from port 48 ( J9280A ) and port 24 ( J9279A ).

 

I need to create a trunk from Port 48 and 24, right?

 

On J9280A:

#trunk 48 trk1 trunk

 

On J9279A

#trunk 24 trk1 trunk

 

That's all, right?

 

Thanks.

filloweb

 

0 Kudos
7 REPLIES 7
LorenzoCastro
Frequent Advisor

‎02-18-2013 08:20 AM

‎02-18-2013 08:20 AM

Re: DMZ over a trunk

Hello, I think you may be confusing the terms trunking and tagging.  Trunking in the Cisco world is different than trunking in the HP world.  HP uses the term trunking for link aggregations where multiple physical links and bonded together to create a logical, high bandwidth port.   Cisco uses the trunking term to indicate a link that carries multiple dot1q vlan tags on it, whereas HP uses the term tagging for that function.  With that said, it looks like you will need to tag your DMZ vlan ID over your fiber uplink.  So the config would be as follows

 

switch1

config

vlan 100 tagged 48

 

switch 2

config

vlan 100 tagged 24

 

Those commands would enable vlan tagging for vlan 100 on your fiber uplink between switch 1 and 2.  HTH.

0 Kudos
Filippo Dareggi
Occasional Contributor

‎02-18-2013 09:36 AM

‎02-18-2013 09:36 AM

Re: DMZ over a trunk

I can't understand.

 

On switch01 I have my server on port 44.

On switch02 I have my DMZ's firewall on port 22.

 

Here the running configs:

 

switch01.decori.local# sh running-config

Running configuration:

; J9280A Configuration Editor; Created on release #Y.11.12

hostname "switch01.decori.local"
snmp-server location "Sala CED"
time daylight-time-rule Western-Europe
ip default-gateway 172.16.254.254
sntp server 172.16.10.11
timesync sntp
sntp unicast
sntp 30
snmp-server community "public" Unrestricted
snmp-server host 172.16.11.142 "public"
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-43,45-48
   ip address 172.16.254.11 255.255.0.0
   no untagged 44
   jumbo
   exit
vlan 100
   name "DMZ"
   untagged 44
   tagged 48
   exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
no stack
spanning-tree


switch02.decori.local# sh running-config

Running configuration:

; J9279A Configuration Editor; Created on release #Y.11.35

hostname "switch02.decori.local"
snmp-server location "Magazzino Grezzi"
time daylight-time-rule Western-Europe
sntp server 172.16.10.11
timesync sntp
sntp unicast
sntp 30
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-21,23-24
   ip address 172.16.254.12 255.255.0.0
   no untagged 22
   jumbo
   exit
vlan 100
   name "DMZ"
   untagged 22
   tagged 24
   exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
no stack
spanning-tree


Could you help me?

Thanks.

filloweb

0 Kudos
LorenzoCastro
Frequent Advisor

‎02-18-2013 09:48 AM

‎02-18-2013 09:48 AM

Re: DMZ over a trunk

 Your VLAN tagging is already setup and your requirement doesn't specify the need for link aggregation, just port tagging. From what I can see in your config everything looks correct.  Are you seeing any problems?   

0 Kudos
Filippo Dareggi
Occasional Contributor

‎02-18-2013 09:57 AM

‎02-18-2013 09:57 AM

Re: DMZ over a trunk

Everything is all right.

 

Any suggestion for security?

 

Thanks a lot.

filloweb.

0 Kudos
LorenzoCastro
Frequent Advisor

‎02-18-2013 03:53 PM

‎02-18-2013 03:53 PM

Re: DMZ over a trunk

Security?  You could probably start by removing the public snmp string and changing that to something else as well as making it restricted.  Not sure if your switches support snmp v3, but that's another option you may want to look at.  Some people do not like using the default vlan number and move everything in to other vlans.  You could also disable telnet, enable SSH just to name a few things. 

0 Kudos
Chrisd131313
Trusted Contributor

‎02-19-2013 01:04 AM

‎02-19-2013 01:04 AM

Re: DMZ over a trunk

To add to LorenzoCastro's posts it might be worth having a read through the HP procurve hardening white paper...

 

http://www.hp.com/rnd/pdfs/Hardening_ProCurve_Switches_White_Paper.pdf

 

It's a good place to start when dealing with switch security. It is not an exhaustive list, but it will start you off in the right direction.

-----------------------------------------------------

Don't forget to mark a post resolved if your question was answered.
Filippo Dareggi
Occasional Contributor

‎02-19-2013 03:44 AM

‎02-19-2013 03:44 AM

Re: DMZ over a trunk

Hi,

 

thanks for your support!

 

Now, it's right.

 

switch01.decori.local# sh run

Running configuration:

; J9280A Configuration Editor; Created on release #Y.11.41

hostname "switch01.decori.local"
snmp-server location "Sala CED"
time daylight-time-rule Western-Europe
ip default-gateway 172.16.254.254
sntp server 172.16.10.11
timesync sntp
sntp unicast
sntp 30
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-43,45-48
   ip address 172.16.254.11 255.255.0.0
   no untagged 44
   jumbo
   exit
vlan 100
   name "DMZ"
   untagged 44
   tagged 48
   exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
no stack
spanning-tree

switch01.decori.local#

 

 

Thanks a lot!!!

filloweb

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.