Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

Re: DMZ setup through Procurve to catalyst to pix

New Member

DMZ setup through Procurve to catalyst to pix

I'm researching how to setup a secure webserver. This is just something I've never done with secure data so want to make sure it is correct.
My goal is to setup a vlan_2 ( an HP ProCurve 2510G-24 with a single server running my website (webserver ( The HP also contains all other servers (dhcp, dns, ftp, backup) on the default vlan_1 ( This switch is connected directly to a Cisco Catalyst 2960G-48 ( running default setup. This connects to the PIX 506e. I've got the pix setup ready with an acl and static route to my desired ip for the server. I just can't seem to get the switches to work for me.
I would like to be able to access the webserver from any internal server or workstation, but not from the webserver to the other servers or workstations. I just want better protection from outside by putting the webserver in a vlan on a different subnet.
Am I way off base with my goal?
This will be a webserver for a secure application I've been building. I've never setup the network side.

Honored Contributor

Re: DMZ setup through Procurve to catalyst to pix

>>> Cisco Catalyst 2960G-48 ( running default setup <<<
So this switch only knows about vlan-1!

The hp and cisco don't communicate what vlans are used (like cisco's vtp protocol).
So you must manually add vlan-2 on the cisco and configure the connecting ports to pass both vlan's (vlan-trunk).

on cisco :
interface GigabitEthernet2/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1,2 (or all)
on hp something like:
vlan 1
tagged 24
vlan 2
tagged 24

another tip:
Connect the pix to the cisco as vlan-trunk(switchport like above).
create a subinterface on the inside interface for vlan-2 with security level between inside and outside.

then it will look like the pix has a "third NIC" connected to the dmz.
New Member

Re: DMZ setup through Procurve to catalyst to pix

Excellent! Thank you!
So to recap..
HP switch:
Ports 2-22,24: Vlan_1 untagged,Vlan_2 tagged or no??(for all stations on those ports).
Port 23: Vlan_2 untagged, Vlan_1 no (for webserver)
Port 1: Vlan_1 untagged, Vlan_2 tagged (going to trunked port on Catalyst)

Caltlyst Switch:
Create Vlan_2, leave the default vlan_1 as is
Port GE47: trunked port allowing all vlans using dot1q. vlan_2 logical tagged, vlan_1 physical untagged(the port hp switch goes to). Can I enable PDM here to take care of this for me??
Port GE48: trunked port to pix

I'm not sure how to creat a subinterface. Any help here is appreciated of course.
I was going to create a static entry from the outside to the DMZ. With an access list to all www.
And allow the inside to access the DMZ with another static command.

Do I understand everything correctly??
Thanks again for the help!!