Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Small collapsed network design advice

Status
Not open for further replies.
e40956

e40956

MIS
Jun 16, 2009
2
US
I am trying to design a small collapsed network. Here are the parameters:

1)There is no existing equipment.
2)Everything must be Cisco.
3)IBM Blade Chassis will be made up of VMware ESX hosts
4)ESX hosts will contain virtual machines with External DMZ servers AND Internal servers.
5)Should use as little equipment as possible.
6)Must be secure
7)Support 20 internal users and 5 VPN users.
8)External DMZ must support hosting for email proxy server and website(small number of connections)

As you may have noticed the DMZ is not separated at the firewall. I personally believe that at this point in time current technology makes this feasible as long as the proper security controls are implemented between the External DMZ VLAN and the rest of the network(IPS,ACL,vlan-hopping mitigation, etc).

Is there a more efficient way then shown in the following diagram?

Code: 
Internet
|
Firewall/Router (ASA)
|
Internal Router(VLAN Routing) (
|
48 Port Switch----------------| 
|                             |
PCs/IP Phones         IBM Blade Chassis

Thanks
 
Sort by date Sort by votes
thats pretty effecient. you could make that 'internal router' a layer 3 switch so that you only have the ASA and a layer 3 switch for vlan routing.
 
Upvote 0 Downvote
Thanks for the quick response!!

Follow up questions:

The Layer 3 switch would perform the internal routing, not the ASA correct?

What type of feature set would be needed on the Layer 3 switch to securely segment the DMZ from the rest of the network?
 
Upvote 0 Downvote
Yes a layer3 switch is a router, so you would have it do the internal routing since it would be the fastest option.

For the DMZ you could use the ASA as the filter or the switch. The switch would have better performance, but you would only be able to do packet filtering and not packet inspection if that is required.
 
Upvote 0 Downvote
on the layer 3 you can create vlans to segment the DMZ with access-lists and routing to prevent access. you can also do QOS on the pc's and phone side
 
Upvote 0 Downvote
In your drawing you have a L3 switch/Router and a 48-port switch listed. I don't know what kind of switch module you'll be putting into your blade, but what you could do is hang the 48-port switch off of the ASA to create a real, physically segmented DMZ. Within your VMWare configuration create a vSwitch and designate one or more physical interfaces to be used in the port group solely for servers in your DMZ. Plug those physical ports into your DMZ switch and voila you have the real, physical segmentation that you desire. You can do it with VLAN's if you want, but IMHO the more physical segmenatation you have between your DMZ and your internal network the better.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
307
Luzbel
Luzbel
CDIV
  • Locked
  • Question
Help me build a network
Replies
1
Views
157
burtsbees
burtsbees
bmiller23
  • Locked
  • Question
Issues Between Cisco Network & NVT Phybridge POLRE 8 Port Extender
Replies
13
Views
519
VinceWhirlwind
VinceWhirlwind
telklass
  • Locked
  • Question
Network + Subnet Mask
Replies
2
Views
148
burtsbees
burtsbees
DROFNUD
  • Locked
  • Question
Migrating Layer 2 network to VRF
Replies
3
Views
289
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top