- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- HPE Aruba Networking & ProVision-based
- >
- Re: VLAN routing and security
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2012 05:13 AM
07-19-2012 05:13 AM
Hi there,
I'm currently running a HP procurve environment with a few layer 3 Procurves at the core and about 20 layer 2 switches connected to it. We have several VLAN's in place for departments and we have enabled IP routing on our core switch and assigned an IP to each to allow inter VLAN routing between departments.
I wish to add a DMZ VLAN, however I obviously do not wish this to be able to communicate with any other VLAN's. If I don't assign an IP address to the DMZ VLAN on the core L3 switch, will this be enough to ensure that traffic doesnt cross from the DMZ VLAN to other VLANs and vice versa? Or will I also require ACL's to ensure security?
Many Thanks
Solved! Go to Solution.
- Tags:
- VLAN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2012 05:50 AM
07-19-2012 05:50 AM
SolutionHi Tommyv,
By not assigning an IP address to the DMZ VLAN on your core routers this will segregte the traffic and not allow it to be routed to, in essence you are not applying L3 functionality to the DMZ VLAN. You would have to have a L3 router somewhere in you network to allow any traffic to get to the DMZ VLAN, but from your corporate LAN's point of view, it is unreachable.
Don't forget to mark a post resolved if your question was answered.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2012 06:34 AM
07-19-2012 06:34 AM
Re: VLAN routing and security
I agree with with Chris. I run 3 DMZs in different VLANs and am happy that with no IP, there's no leakage. I bring my Internet uplink into the same switch (again without IP) in another VLAN.
I think a few precautions are worthwhile in both cases:
- turn off web-management and telnet
- filter STP BPDUs
- disable unknown GVRP VLANs, IGMP, and LLDP
- set a management VLAN and a warning banner
Some of these might not be applicable in your environment, and i'm sure i've missed some things, but that's a reasonable start. See the ProCurve hardening guide (http://www.hp.com/rnd/pdfs/Hardening_ProCurve_Switches_White_Paper.pdf) or my wiki page (http://linuxman.wikispaces.com/HP+ProCurve+hardening+for+Internet) for more info.
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2012 08:18 AM
07-19-2012 08:18 AM
Re: VLAN routing and security
Thanks Guys, exactly what I wanted to know.
If you don't mind I have one more related query. Can we set a default gateway per VLAN on the switch? What I'm trying to accomplish is this. Each client on a VLAN will use it's L3 switch VLAN IP address as its default gateway to allow the inter-vlan routing. Any traffic destined for outside of a routable VLAN should then be directed to our firewall. How would we configure this per VLAN as we wouldn't necessarily want the same default gateway to be applied to our DMZ VLAN as our internal VLANs?
Thanks again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2012 03:29 PM
07-19-2012 03:29 PM
Re: VLAN routing and security
Any IP on the switch (other than the management VLAN's IP) can be used for routing. Once the packet hits the switch's interface for routing, it will follow the switch's routing table. So you wouldn't be able to use the switch as the default gateway for all VLANs unless they all have the same Internet uplink.
The simplest solution if you want to use different Internet gateways but maintain static routing is to use the firewall as the default gateway for each VLAN, and then give it a static route for a range of addresses that points to the switch. e.g. Assuming you have 255 VLANs all in the 10.33.0.0/16 range:
VLAN 1, firewall 10.33.1.254/24, switch 10.33.1.253/24
VLAN 2, firewall 10.33.2.254/24, switch 10.33.2.253/24
VLAN 3, firewall 10.33.3.254/24, switch 10.33.3.253/24
...
The default gateway for each VLAN would be its own firewall, and each firewall would need a route to 10.33.0.0/16 via the switch address on the same VLAN. That would allow each VLAN to have its own Internet link, yet maintain connectivity with the other VLANs.
Of course, if you have that many VLANs, you probably don't want to use static routing, but that's a whole new discussion... ;-)
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2012 04:52 PM
07-19-2012 04:52 PM
Re: VLAN routing and security
or..
If you have the default gateway for the core be the firewall, any traffic that the router doesn't know how to route will be sent to the firewall.
Since the DMZ is only layer 2, it would not be affected.
You would also need to add routes on the firewall to route back in for the internal networks.
ip route 0.0.0.0 0.0.0.0 10.33.254.1 (firewall inside IP Address)
Just another idea. :)
Bob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2012 06:50 AM
07-20-2012 06:50 AM
Re: VLAN routing and security
Bob, Paul, thanks very much. I'll set this up in our lab environment and see how we go.
Cheers