- Community Home
- >
- Servers and Operating Systems
- >
- HPE BladeSystem
- >
- BladeSystem - General
- >
- Re: HP Virtual Connect & DMZ configuration
BladeSystem - General
1748181
Members
4061
Online
108759
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-03-2009 01:13 PM
тАО12-03-2009 01:13 PM
Hi,
I have a question regarding the HP Virtual Connect and introducting DMZ into the same enclosure. I am trying to figure out how best to have blade servers hosting DMZ and blade servers hosting non-DMZ in a same c7000 enclosure which has HP virtual connect ethernet modules installed. Currently, on a rough idea, my plan is to have:
1. 1 uplink connected to one of the 1Gb uplink ports from non-DMZ switch, linked to a network profile named "non-DMZ".
2. 1 uplink connected to different 1Gb uplink port from DMZ switch, linked to a network profile named "DMZ".
The DMZ switch and non-DMZ switch will have a firewall in-between.
Not considering the administration error possibility at the moment (I am aware that it's easy for someone to intentionally or unintentionally mis-assign a network profile on a server NIC), Is this configuration considered valid for DMZ separation in the same enclosure? As far as I know, network traffic will not flow from one network profile to another one in HP Virtual Connect, but are there any known security issues configuring this way for DMZ? There are many VLAN-hopping attacks that can be done in a physical switch, and the network profiles in virtual connect sounds very much like VLANs in a physical switch - and VLAN separation is not acceptable for DMZ.
Thanks.
I have a question regarding the HP Virtual Connect and introducting DMZ into the same enclosure. I am trying to figure out how best to have blade servers hosting DMZ and blade servers hosting non-DMZ in a same c7000 enclosure which has HP virtual connect ethernet modules installed. Currently, on a rough idea, my plan is to have:
1. 1 uplink connected to one of the 1Gb uplink ports from non-DMZ switch, linked to a network profile named "non-DMZ".
2. 1 uplink connected to different 1Gb uplink port from DMZ switch, linked to a network profile named "DMZ".
The DMZ switch and non-DMZ switch will have a firewall in-between.
Not considering the administration error possibility at the moment (I am aware that it's easy for someone to intentionally or unintentionally mis-assign a network profile on a server NIC), Is this configuration considered valid for DMZ separation in the same enclosure? As far as I know, network traffic will not flow from one network profile to another one in HP Virtual Connect, but are there any known security issues configuring this way for DMZ? There are many VLAN-hopping attacks that can be done in a physical switch, and the network profiles in virtual connect sounds very much like VLANs in a physical switch - and VLAN separation is not acceptable for DMZ.
Thanks.
Solved! Go to Solution.
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-04-2009 07:35 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-13-2009 04:03 PM
тАО12-13-2009 04:03 PM
Re: HP Virtual Connect & DMZ configuration
That's actually a pretty good idea. Thanks.
So "DMZ" network profile would be marked as "private network" and "non-DMZ" network profile would be allowed to travel within the VC domain?
So "DMZ" network profile would be marked as "private network" and "non-DMZ" network profile would be allowed to travel within the VC domain?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-13-2009 04:07 PM
тАО12-13-2009 04:07 PM
Re: HP Virtual Connect & DMZ configuration
Correct, now remember that if you make the network as private then the packet will have to travel up the uplink to your core switch and back down if two blades try to talk to each other over the private network. This is going to allow you to utilize all your standard ACLs, etc. for your DMZ on the core switch.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP