HPE Community
HPE Aruba Networking & ProVision-based
1830229 Members
2784 Online
109999 Solutions
New Discussion

VLAN routing and security

 
SOLVED
Go to solution
tommyv
Occasional Contributor

‎07-19-2012 05:13 AM

‎07-19-2012 05:13 AM

VLAN routing and security

Hi there,

 

I'm currently running a HP procurve environment with a few layer 3 Procurves at the core and about 20 layer 2 switches connected to it.  We have several VLAN's in place for departments and we have enabled IP routing on our core switch and assigned an IP to each to allow inter VLAN routing between departments.

 

I wish to add a DMZ VLAN, however I obviously do not wish this to be able to communicate with any other VLAN's.  If I don't assign an IP address to the DMZ VLAN on the core L3 switch, will this be enough to ensure that traffic doesnt cross from the DMZ VLAN to other VLANs and vice versa?  Or will I also require ACL's to ensure security?

 

Many Thanks

0 Kudos
6 REPLIES 6
Chrisd131313
Trusted Contributor

‎07-19-2012 05:50 AM

‎07-19-2012 05:50 AM

Solution

Re: VLAN routing and security

Hi Tommyv,

 

By not assigning an IP address to the DMZ VLAN on your core routers this will segregte the traffic and not allow it to be routed to, in essence you are not applying L3 functionality to the DMZ VLAN. You would have to have a L3 router somewhere in you network to allow any traffic to get to the DMZ VLAN, but from your corporate LAN's point of view, it is unreachable.

-----------------------------------------------------

Don't forget to mark a post resolved if your question was answered.
0 Kudos
paulgear
Esteemed Contributor

‎07-19-2012 06:34 AM

‎07-19-2012 06:34 AM

Re: VLAN routing and security

I agree with with Chris.  I run 3 DMZs in different VLANs and am happy that with no IP, there's no leakage.  I bring my Internet uplink into the same switch (again without IP) in another VLAN.

I think a few precautions are worthwhile in both cases:

  • turn off web-management and telnet
  • filter STP BPDUs
  • disable unknown GVRP VLANs, IGMP, and LLDP
  • set a management VLAN and a warning banner

Some of these might not be applicable in your environment, and i'm sure i've missed some things, but that's a reasonable start.  See the ProCurve hardening guide (http://www.hp.com/rnd/pdfs/Hardening_ProCurve_Switches_White_Paper.pdf) or my wiki page (http://linuxman.wikispaces.com/HP+ProCurve+hardening+for+Internet) for more info.

Regards,
Paul
0 Kudos
tommyv
Occasional Contributor

‎07-19-2012 08:18 AM

‎07-19-2012 08:18 AM

Re: VLAN routing and security

Thanks Guys, exactly what I wanted to know.

 

If you don't mind I have one more related query.  Can we set a default gateway per VLAN on the switch?  What I'm trying to accomplish is this. Each client on a VLAN will use it's L3 switch VLAN IP address as its default gateway to allow the inter-vlan routing.  Any traffic destined for outside of a routable VLAN should then be directed to our firewall.  How would we configure this per VLAN as we wouldn't necessarily want the same default gateway to be applied to our DMZ VLAN as our internal VLANs?

 

Thanks again

0 Kudos
paulgear
Esteemed Contributor

‎07-19-2012 03:29 PM

‎07-19-2012 03:29 PM

Re: VLAN routing and security

Any IP on the switch (other than the management VLAN's IP) can be used for routing.  Once the packet hits the switch's interface for routing, it will follow the switch's routing table.  So you wouldn't be able to use the switch as the default gateway for all VLANs unless they all have the same Internet uplink.

 

The simplest solution if you want to use different Internet gateways but maintain static routing is to use the firewall as the default gateway for each VLAN, and then give it a static route for a range of addresses that points to the switch. e.g. Assuming you have 255 VLANs all in the 10.33.0.0/16 range:

 

VLAN 1, firewall 10.33.1.254/24, switch 10.33.1.253/24

VLAN 2, firewall 10.33.2.254/24, switch 10.33.2.253/24

VLAN 3, firewall 10.33.3.254/24, switch 10.33.3.253/24

...

 

The default gateway for each VLAN would be its own firewall, and each firewall would need a route to 10.33.0.0/16 via the switch address on the same VLAN.  That would allow each VLAN to have its own Internet link, yet maintain connectivity with the other VLANs.

 

Of course, if you have that many VLANs, you probably don't want to use static routing, but that's a whole new discussion... ;-)

Regards,
Paul
0 Kudos
BGraham_1
Frequent Advisor

‎07-19-2012 04:52 PM

‎07-19-2012 04:52 PM

Re: VLAN routing and security

or..

 

If you have the default gateway for the core be the firewall, any traffic that the router doesn't know how to route will be sent to the firewall.

Since the DMZ is only layer 2, it would not be affected.

 

You would also need to add routes on the firewall to route back in for the internal networks.

 

ip route 0.0.0.0 0.0.0.0 10.33.254.1 (firewall inside IP Address)

 

Just another idea. :)

 

Bob

 

0 Kudos
tommyv
Occasional Contributor

‎07-20-2012 06:50 AM

‎07-20-2012 06:50 AM

Re: VLAN routing and security

Bob, Paul, thanks very much.  I'll set this up in our lab environment and see how we go.

 

Cheers

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.