- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Does this network setup look correct? (vlanning)
Switches, Hubs, and Modems
1753717
Members
4318
Online
108799
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-11-2007 03:36 AM
тАО07-11-2007 03:36 AM
Does this network setup look correct? (vlanning)
For simplicity say I have 1 blade enclosure with GBE2 switches, in this enclosure is 8 blades
2 of these blades are management servers
2 of these blades are for a client team 1
2 of these blades are for a client team 2
1 of these blades is for client team 3
1 of these blades is for client team 4
client team 1 and 2 for security want to be virtually isolated, they need to communicate with the management servers and the internet but be invisible to other servers
client team 3 + 4 has low security requirements and need to communicate with the management servers and can communicate with each other
This is my solution (I am very new to vlanning so hopefully this all makes sense)
On the GBE2, the management servers will be in VLAN 2
CLIENT TEAM 1 will be VLAN 4
CLIENT TEAM 2 will be VLAN 5
CLIENT TEAM 3 + 4 will be in VLAN 3
vlan tagging will be enabled on all uplink and crosslink ports
The GBE2 switches feed into a linksys managed switch (I know its linksys :( but they have been great budget switches)
On the linksys switch, I will enable vlan trunking on all the ports that connect to the GBE2 switch. This linksys switch feeds to another linksys switch. This linksys switch will also have vlan trunking enabled on the ports that are vlan trunking from the previous linksys switch.
Now from here, the linksys will have ports assigned to the specific VLANs.
These ports will connect to ports on a Cisco switch that has private vlans enabled.
The management VLAN (2) will plug into a promiscuous port (the firewall (also gateway) will be connected to a promiscuous port
The client team 3 + 4 vlan (3) will plug into a community port
The client team 1 + 2 (vlan 4+5) will each have a isolate port on the switch
now with private vlaning, promiscuous ports can communicate with isolate and community ports
community ports can communicate with promiscious ports and other community ports
isolate ports can communicate with promiscious ports but not other isolate ports or community
hopefully I am on the right path, the Cisco switch is a layer 3 switch so it can do vlan routing, but because everyone is on the same subnet it would be impossible to do so thats why I went with the private vlanning, and using standard vlanning to segment the traffic until it hit the Cisco private vlan.
thanks!
2 of these blades are management servers
2 of these blades are for a client team 1
2 of these blades are for a client team 2
1 of these blades is for client team 3
1 of these blades is for client team 4
client team 1 and 2 for security want to be virtually isolated, they need to communicate with the management servers and the internet but be invisible to other servers
client team 3 + 4 has low security requirements and need to communicate with the management servers and can communicate with each other
This is my solution (I am very new to vlanning so hopefully this all makes sense)
On the GBE2, the management servers will be in VLAN 2
CLIENT TEAM 1 will be VLAN 4
CLIENT TEAM 2 will be VLAN 5
CLIENT TEAM 3 + 4 will be in VLAN 3
vlan tagging will be enabled on all uplink and crosslink ports
The GBE2 switches feed into a linksys managed switch (I know its linksys :( but they have been great budget switches)
On the linksys switch, I will enable vlan trunking on all the ports that connect to the GBE2 switch. This linksys switch feeds to another linksys switch. This linksys switch will also have vlan trunking enabled on the ports that are vlan trunking from the previous linksys switch.
Now from here, the linksys will have ports assigned to the specific VLANs.
These ports will connect to ports on a Cisco switch that has private vlans enabled.
The management VLAN (2) will plug into a promiscuous port (the firewall (also gateway) will be connected to a promiscuous port
The client team 3 + 4 vlan (3) will plug into a community port
The client team 1 + 2 (vlan 4+5) will each have a isolate port on the switch
now with private vlaning, promiscuous ports can communicate with isolate and community ports
community ports can communicate with promiscious ports and other community ports
isolate ports can communicate with promiscious ports but not other isolate ports or community
hopefully I am on the right path, the Cisco switch is a layer 3 switch so it can do vlan routing, but because everyone is on the same subnet it would be impossible to do so thats why I went with the private vlanning, and using standard vlanning to segment the traffic until it hit the Cisco private vlan.
thanks!
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-11-2007 04:25 PM
тАО07-11-2007 04:25 PM
Re: Does this network setup look correct? (vlanning)
Since you have a Cisco L3 switch (capable of routing and access control) I would feed the GBE2 switches (and implicitly their associated VLANs) directly in the Cisco device, bypassing the LinkSys-es. It is possible to transfer VLAN frames formed by the GBE2s to Cisco, and have the Cisco do routing and Access Control List security - which is just what you need for the specs you mentioned (keeping some subnets from talking to other subnets, permitting some servers to respond to client requests whilst cutting other traffic not allowed by your security requirements, etc.)
For you to have a clear picture of how to configure your L2 and L3 devices, you should put on paper two kinds of requirements, in this order of importance:
1) functional requirements (what applications the clients need -from LAN or Internet-, what services need some servers from other servers, system availability for servers -power supply included-, etc.)
2) information security requirements (what clients are NOT allowed to do, what server-to-server communications must NOT take place, etc.)
Advice: don't put information security requirements before functional requirements. The most secure computer is one that is shutdown, decoupled from power supplies and communication - but ofcourse this is a completely non-functionctional system.
For you to have a clear picture of how to configure your L2 and L3 devices, you should put on paper two kinds of requirements, in this order of importance:
1) functional requirements (what applications the clients need -from LAN or Internet-, what services need some servers from other servers, system availability for servers -power supply included-, etc.)
2) information security requirements (what clients are NOT allowed to do, what server-to-server communications must NOT take place, etc.)
Advice: don't put information security requirements before functional requirements. The most secure computer is one that is shutdown, decoupled from power supplies and communication - but ofcourse this is a completely non-functionctional system.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-12-2007 01:40 AM
тАО07-12-2007 01:40 AM
Re: Does this network setup look correct? (vlanning)
Hi Dan,
Thanks for your post. I looked into the ACLs and that something I will look into implementing in the future, but because of our time frame and existing infrastructure I am looking for something with minimal configuration and infrastrucute changes. I guess my question should of more been on the line of is what I am thinking possible?
Thanks,
Rich
Thanks for your post. I looked into the ACLs and that something I will look into implementing in the future, but because of our time frame and existing infrastructure I am looking for something with minimal configuration and infrastrucute changes. I guess my question should of more been on the line of is what I am thinking possible?
Thanks,
Rich
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2007 12:09 AM
тАО07-13-2007 12:09 AM
Re: Does this network setup look correct? (vlanning)
I agree with the previous reply about listing functional requirements first. I would add future possibilities (expansion, relocation) to that list also. Splitting the same layer 3 network into separate layer 2 networks is generally the opposite of what you want to do. In my own IT work I have frequently come across situations where unplanned for relocation of business functions (facility change) or even complete sales of functions to separate companies has come up completely unexpectedly to whomever specified the IT requirements. If that happens life is much easier if the two disparate networks don't share the same layer 3 structure. If the separate groups really have no relation to each other then I would put them into separate subnets as a minimum. Much easier to comprehend the logical structure that way. The VLAN setups you mentioned could all remain the same. I also agree with bypassing the intermediate switches if physically possible, physical complexity is the enemy of stability.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP