HPE Community
LAN Routing
1820477 Members
2934 Online
109624 Solutions
New Discussion

creating a DMZ Vlan on an E3800

 
AlfaNut1750
Occasional Visitor

‎07-27-2012 08:50 AM - edited ‎07-27-2012 08:56 AM

‎07-27-2012 08:50 AM - edited ‎07-27-2012 08:56 AM

creating a DMZ Vlan on an E3800

Hello All,

 

I was hoping that some clever person out there may be able to answer my question.

 

I have configure a few Vlan on setup simple routing to an ASA5510 for Internet access.  IP routing is enabled and all is working fine.

 

I now want to config a DMZ VLAN so that all traffic on the DMZ VLAN stays on that VLAN and that no routing to the other networks occur.  Could someone please let me know how to do this.

 

Just for some background network are as follows

 

vlan 1020 ip 10.2.x.x /16 switch address 10.2.0.1
Vlan 1030 ip 10.3.0.x /24 switch address 10.3.0.1
Vlan 1031 ip 10.3.1.x /24 switch address 10.3.1.1
Vlan 1032 ip 10.3.2.x /24 switch address 10.3.2.1
Vlan 1033 ip 10.3.3.x /24 switch address 10.3.3.1
Vlan 1034 ip 10.3.4.x /24 switch address 10.3.4.1
Vlan 1035 ip 10.3.5.x /24 switch address 10.3.5.1
Vlan 1036 ip 10.3.6.x /24 switch address 10.3.6.1
Vlan 1037 ip 10.3.6.x /24 switch address 10.3.7.1
Vlan 1726 ip 172.16.0.x /24 switch address 172.16.0.1

 

Gw 10.2.0.254 Lan inside (VLAN 1020)

gw 172.16.0.254 DMZ (VLAN1726)

 

 

Many Thanks.

Chris

0 Kudos
3 REPLIES 3
paulgear
Esteemed Contributor

‎07-27-2012 07:13 PM

‎07-27-2012 07:13 PM

Re: creating a DMZ Vlan on an E3800

Hi Chris,

A little more information would be helpful; e.g. what addresses are on the ASA, actual config on the switch.

As a general rule, setting up a DMZ VLAN which is only reachable from your firewall means that you should simply remove any IP addresses from the switch on that VLAN. This means that all routing on the VLAN goes through the firewall instead of the switch.

If you want something more advanced than that, you will need to look into ACLs also - there is good info on this in the manuals.

Regards,
Paul
Regards,
Paul
0 Kudos
AlfaNut1750
Occasional Visitor

‎07-28-2012 01:45 AM

‎07-28-2012 01:45 AM

Re: creating a DMZ Vlan on an E3800

Sorry I didn't make it clear the gw address are the ASA details

 

ie

 

Inside 10.2.0.254

DMZ 172.16.0.254

 

So I guess if I remove the ip address associated with ie vlan 1726 which I gave it 172.16.0.1 and then just leave all devices with the gateway of 172.16.0.254

 

That does make sense. 

 

Thanks

Chris

 

0 Kudos
paulgear
Esteemed Contributor

‎07-28-2012 03:55 AM

‎07-28-2012 03:55 AM

Re: creating a DMZ Vlan on an E3800

That's definitely something you want to do if you want to isolate DMZ traffic from internal traffic (which is the whole point :-).

You may want to take some extra hardening steps as well, since much of the traffic in the DMZ will be "untrusted". Search this forum or Google for "procurve hardening" for some tips on this.
Regards,
Paul
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.