BladeSystem Network Blades
Showing results for 
Search instead for 
Did you mean: 

DMZ isolation within enclosure

Trusted Contributor

DMZ isolation within enclosure

Duane had some DMZ location on servers questions:




I have a customer considering a deployment of BladeSystem technology (c3000 + BL4xx blades) where they will require a private LAN infrastructure as well as DMZ for external connectivity.  We’re trying to get them to consider VC, but right now they are insisting on 6125XG and Brocade switches for interconnects.


I’ve seen some discussions in the past addressing the isolation concern of having the DMZ servers in the same enclosure as other non-DMZ servers.   Anyone have any definitive pros/cons of putting the DMZ blade(s) in the same enclosure, vs deploying externally?   Easy solution would be just to deploy the DMZ as DL380.




Dan advised:




I usually boil this down to 3 things.

1)      VC is Layer 2 only so any routing will be done outside, where they likely want it.

2)      With Network Access Groups in VC, we can make it so a DMZ Blade and a Prod Blade never have access to the same VLANs, whether those came in on a single SUS or Multiple SUS

3)      With Private mode on, and proper use of PVLAN outside the enclosure, they can prevent even Blade to Blade communication on a per VLAN basis.


Storage side is easy.  You just create 2 different sets of SAN Fabrics and they never share resources.  Doesn’t mean you can’t put a DMZ Server on the wrong SAN Fabric accidentally, but going Brocade doesn’t prevent accidents either.




Other comments or suggestions?



Trusted Contributor

Re: DMZ isolation within enclosure

Input from Pedro:




In my opinion, for this kind of solution, the main advantage of VC over switch is that with 2 separate SUS on VC, it creates 2 completely isolated network segments.

With a switch implementation you will always need a common VLAN and Spanning tree instance that will connect both LAN segments (DMZ and Internal LAN). If DMZ is physically separated from the LAN, this can be a big issue not only in terms of security but also in terms of network topology and STP convergence.