After doing some research last night, I think I have the answers to the questions I posted yesterday.1. Do I really need a separate Juniper EX3300-24T switch for the DMZ zone? Can I just use the DMZ vlan on the core switch? The goal is to have virtual servers running in the DMZ and maybe up to 4 physical servers.
2. How will the LAN network talk to vlan 10, 20. and 30 on the core switch? I understand how the LAN network with talk to vlan 1 on the core switch because of the direct 10G connection to the vlan 1 port.
3. How will vlan 1, 10, 20, and 30 talk to each other on the core switch (Quanta LB6M)?
Also I am still fuzzy on how pfsense will do the DMZ traffic routing and filtering.
Thanks for all the comments so far...
hi there,After doing some research last night, I think I have the answers to the questions I posted yesterday.
1. If I use a Layer 3 switch for the DMZ zone, I can now do all my inter-Vlan routing using the Layer 3 switch. The pfsense router will be used to filter traffic (firewall rules) between the DMZ and the internal network zone and to route traffic to the internet.
2. Because the core switch is a Layer 2 switch, inter-vlan communication must be done by a Layer 3 switch or a router.
3. The Layer 2 switch (switch) and Layer 3 switch (edge/access) will communicate to each other over a trunk port. I need to create the same Vlans that is created on the Layer 2 core switch on the Layer 3 switch as well.
Here is an updated layout. Please provide feedback and comments on how to improve or simplify the design.
i'm not sure why you would want to share your SAN in your DMZ. maybe i'm not getting the full picture in my head but hey.. its 8 here and i still havent drank a full cup of black liquid gold so..I am trying to share my hypervisor and SAN server infrastructure in the DMZ and internal LAN zone.. I only have 1 hypervisor and SAN server. Any suggestions on how to do that while still maintaining a high degree of security between the 2 zones.
After reading your post in more detail, I agree with your comments about not sharing the SAN in the DMZ zone. With that being said, 1 only have 1 hypervisor server. To create VMs in the DMZ zone, will I need a dedicated 10G NIC connected to the DMZ switch as well? If that is true, then the hypervisor server will be connected directly to the core switch (LB6M) and the DMZ switch. Is there some risk in doing that?i'm not sure why you would want to share your SAN in your DMZ. maybe i'm not getting the full picture in my head but hey.. its 8 here and i still havent drank a full cup of black liquid gold so..
i have a similar setup here, i have a couple of hosts (vmware) that have a dedicated network card connected to my DMZ switches. Resources (VM) running on the hypervisor are running on the SAN itself but their network payload connection is residing in the DMZ. If what you want is share files between different resources in your DMZ, i will suggest you create a small vm with a large enough virtual disk to share stuff in your DMZ. that way you have maximum isolation between your internal and dmz network.
my rule of thumb is that i like to have my DMZ both physically and logically isolated from everything else. dedicated network adapter, dedicated switch. lets just say that i had a bad experience. we had vendor equipement literally bridge the management nic and the payload nic. (one in DMZ, one in mgmt network). didn't take long for that box to be compromised as it was also using very weak passwords (hardcoded dev passwords). that appliance is now a 50,000$ coffee heater..
sure, let me see what i can do with my mad mspaint skillzAfter reading your post in more detail, I agree with your comments about not sharing the SAN in the DMZ zone. With that being said, 1 only have 1 hypervisor server. To create VMs in the DMZ zone, will I need a dedicated 10G NIC connected to the DMZ switch as well? If that is true, then the hypervisor server will be connected directly to the core switch (LB6M) and the DMZ switch. Is there some risk in doing that?
Is it possible for you to post a high level drawing?
Thanks for the feedback.
Yes. Routing between the DMZ and internal LAN will be done by Pfsense.sure, let me see what i can do with my mad mspaint skillz
in the meantime, i'm assuming the routing between your dmz and internal LAN is done by your watchguard/pfsense right?
then you will at best route 7-800mbits/sec between internal and DMZ so IMHO, no need for a 10gig connection here, so i don't believe you need to have your hypervisor connected at 10gig in the DMZ. i would take 1 of our mgmt 1gig connection (i don't see the need for the 2 gig if they are connected to the same switch, unless you want cable redundancy?) and connect that 1gig to the DMZ switch, and in turn connect the DMZ switch directly on the watchguard.
hope this helps,
well, mspaint may not be appropriate for network diagrams but that is all i have atm..Yes. Routing between the DMZ and internal LAN will be done by Pfsense.
sorry i forgot to put it on the diagram,MathieuP... Thank you so much for being patience with me.
Just curious about the 1gig connections to the 3300 (Lan). Here are my assumptions as it relates to Dell R630 Hypervisor server:
1xidrac to 3300(Lan) for Dell Server management
1x1gig to 3300(Lan) for Hypervisor Management
From your post, it looks like you have 1 more 1gig connection to the 3300(Lan) switch. Please confirm.
Got it.. Thanks.... That clears up the Hypervisor connection to the 3300 (Lan)..sorry i forgot to put it on the diagram,
technically behind your R630 you should have 1x idrac (left most), 2x 1gb and 2x sfp+ (10gig)
so the idrac shoud be wired to your lan switch, 1 of the 2 gig connection wired to the lan switch (for hypervisor management) and the other one to the DMZ. then you would have your 2 10gig wired to the Lb6m carrying all your VM payload.
here is a diagram of my home network, networking wise. i have simplified the server connection but they are 4x HP DL380 G6 with 4 gig nics in each + 1gig for IPMI (iLO) at each site.Got it.. Thanks....
Thank you so much.. I will post an updated drawing later tonight.sure, if you have 4 10gig, then 2 10gig to LAN, and 2 10gig to DMZ. or 3x10gig to LAN and 1 10gig to dmz.
at this point the connection to the DMZ doesn't really matter as you only have less than 1gbps to the "outside" world.
yes it will happens for sure. bugs will be bugs. hackers will be hackers."the risk of having your lan compromised because you bridge your hypervisor between your dmz and your lan is low"
it happens... Explo-Xen! Bunker buster bug breaks out guests from hypervisor