11-27-2018 06:20 AM - edited 03-08-2019 04:41 PM
Hi All
I am looking at setting up private vlans for my DMZ so hosts cannot talk directly to each other, they only need to talk to the firewall.
We have a HA firewall and 2 switches, each firewall connects to a separate switch, and the switches have a trunk port to each other.
What is the simpliest way to do this?
could I just used the switchport protected (pvlan edge type) command on the servers connected in the DMZ and that would be enough? or do I need to set up the full blown private vlan setup with primary and secondary vlans? if so how would that look?
cheers
11-27-2018 06:29 AM
you could put the hosts into separate vlans then on a routed interface on the switch (if its L3) or the firewalls, you could implement ACLs - first deny to dest of other vlans then permit any
or you could implement pvlans on the switches
never seen switchport protected used much in prodution networks
regards, mk
please rate if helpful or solved :)
11-27-2018 06:58 AM
Hi
That is not really what we are looking to achieve.
Actually come to think of it, the actual servers will be on a blade enclosure which there will be multiple servers going through the same port, how would we isolate these from each other if coming off the same port to a blade switch?
cheers
11-27-2018 07:06 AM
if servers are in different vlans - then potentially a trunk port to the switch with SVIs for the different vlans?
regards, mk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide