HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
BladeSystem - General
cancel
Showing results for 
Search instead for 
Did you mean: 

HP Virtual Connect & DMZ configuration

 
SOLVED
Go to solution
Dan.Kim
Occasional Contributor

HP Virtual Connect & DMZ configuration

Hi,

I have a question regarding the HP Virtual Connect and introducting DMZ into the same enclosure. I am trying to figure out how best to have blade servers hosting DMZ and blade servers hosting non-DMZ in a same c7000 enclosure which has HP virtual connect ethernet modules installed. Currently, on a rough idea, my plan is to have:

1. 1 uplink connected to one of the 1Gb uplink ports from non-DMZ switch, linked to a network profile named "non-DMZ".
2. 1 uplink connected to different 1Gb uplink port from DMZ switch, linked to a network profile named "DMZ".

The DMZ switch and non-DMZ switch will have a firewall in-between.

Not considering the administration error possibility at the moment (I am aware that it's easy for someone to intentionally or unintentionally mis-assign a network profile on a server NIC), Is this configuration considered valid for DMZ separation in the same enclosure? As far as I know, network traffic will not flow from one network profile to another one in HP Virtual Connect, but are there any known security issues configuring this way for DMZ? There are many VLAN-hopping attacks that can be done in a physical switch, and the network profiles in virtual connect sounds very much like VLANs in a physical switch - and VLAN separation is not acceptable for DMZ.

Thanks.
3 REPLIES
JonathanT
Frequent Advisor
Solution

Re: HP Virtual Connect & DMZ configuration

Mark the VC network as private. This means that ALL traffic originating from the server will be forced through the uplink port to the switch.
Dan.Kim
Occasional Contributor

Re: HP Virtual Connect & DMZ configuration

That's actually a pretty good idea. Thanks.

So "DMZ" network profile would be marked as "private network" and "non-DMZ" network profile would be allowed to travel within the VC domain?
JonathanT
Frequent Advisor

Re: HP Virtual Connect & DMZ configuration

Correct, now remember that if you make the network as private then the packet will have to travel up the uplink to your core switch and back down if two blades try to talk to each other over the private network. This is going to allow you to utilize all your standard ACLs, etc. for your DMZ on the core switch.