04-18-2016 05:12 PM - edited 03-08-2019 05:24 AM
Looking to deploy a new network infrastructure at my job as the old infrastructure is a mess. We have 2 Cisco firewalls one for the primary internet connection on 10.10.0.1 and one for out secondary internet connection on 10.10.0.2. We than have a internal router that routes between out 10.10.0.X network for all of the admin devices, and and existing 192.9.150.X (I did not pick the ip addresses). We also have a DMZ coming from the main internet on the 192.168.200.X subnet.
Currently the 10.10.0.X and the 192.9.150.X reside on the same vlan. I plan on separating them to 2 different vlan. The DMZ has its own vlan, also there is a separate vlan for iSCSI traffic. The core switch that I'm replacing is an old catalyst 2950 which was a layer 2, with the Cisco SG500-52 which is a layer 3. I want/need to have communication between the 10.10.0.x and the 192.9.150.X networks but do not want the DMZ or iSCSI networks to be able to communicate. Will I be able to remove the internal router and do all the routing inside the switch? I will have other switches connected via a fiber LAG trunk providing a 20G pipe to each of the other switches.
Vlan 10 | Valn 192 | Vlan 200 (DMZ) | Vlan 2 (iSCSI traffic) |
Default Gateway 10.10.0.1 Switch IP 10.10.0.254 Subnet 255.255.0.0 |
Default Gateway 192.9.150.1 Switch IP 10.10.0.254 Subnet 255.255.255.0 |
Default Gateway 192.168.200.1 Switch IP 10.10.0.254 Subnet 255.255.255.0 |
Default Gateway 192.168.10.1 Switch IP 10.10.0.254 Subnet 255.255.255.0 |
Need to communicate to Vlan 192 | Need to communicate with Vlan 10 | No Communication outside Vlan | No Communication outside Vlan |
Is this possible without the use of a router between Vlan 10 and Vlan 192? The need to have all Vlan on all switches is because I will be deploying some VM using ESXi and plan on creating trunks to the appliance so i can place a VM on the DMZ if needed.
04-19-2016 02:51 AM
Do the DMZ and iSCSI Vlans need to access the internet or anything at all off their own subnets?
If not, don't give them a default gateway and you will restrict them to communicating only within their own subnet.
Another way is to use an Access Control List which the SG500's do support.
The SG500 could be the default gateway for all the Vlans yes, you could then have a default route towards the upstream router/firewall device.
Thanks
04-19-2016 03:18 PM
The DMZ needs to have an internet connection as we are required by out parent company to place all outside servers in the DMZ zone. The iSCSI just needs to be isolated.
So Vlan 10 & 192 need to communicate to each other and both get internet from 10.10.0.1.
Vlan 200 needs to be isolated and have internet access from 192.168.200.1
Vlan 2 no internet and isolated traffic.
The main part is the Vlan 10 and Vlan 192. I'd rather not use a router that will bottleneck the traffic between the 2 networks as I will have a 20G connection between switches and on one I will have file server with a 10G connection to the network on the 192 vlan. I don't want to filter that through a 1g connection on the router.
12-19-2018 01:38 PM
Hi, did you manage to get this working? Have the same issue.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide