simple DMZ private vlan config

carl_townshend · ‎11-27-2018

Hi All

I am looking at setting up private vlans for my DMZ so hosts cannot talk directly to each other, they only need to talk to the firewall.

We have a HA firewall and 2 switches, each firewall connects to a separate switch, and the switches have a trunk port to each other.

What is the simpliest way to do this?

could I just used the switchport protected (pvlan edge type) command on the servers connected in the DMZ and that would be enough? or do I need to set up the full blown private vlan setup with primary and secondary vlans? if so how would that look?

cheers

mkazam001 · ‎11-27-2018

you could put the hosts into separate vlans then on a routed interface on the switch (if its L3) or the firewalls, you could implement ACLs - first deny to dest of other vlans then permit any

or you could implement pvlans on the switches

never seen switchport protected used much in prodution networks

regards, mk

please rate if helpful or solved :)

carl_townshend · ‎11-27-2018

Hi

That is not really what we are looking to achieve.

Actually come to think of it, the actual servers will be on a blade enclosure which there will be multiple servers going through the same port, how would we isolate these from each other if coming off the same port to a blade switch?

cheers

mkazam001 · ‎11-27-2018

if servers are in different vlans - then potentially a trunk port to the switch with SVIs for the different vlans?

regards, mk