VLAN setup help or advise

February 17, 2009 at 19:38:13
Specs: IOS
I'm researching how to setup a secure webserver. This is just something I've never done with secure data so want to make sure it is correct.

My goal is to setup a vlan_2 (172.16.1.1)on an HP ProCurve 2510G-24 with a single server running my website (webserver (172.16.1.2)). The HP also contains all other servers (dhcp, dns, ftp, backup) on the default vlan_1 (192.168.0.12). This switch is connected directly to a Cisco Catalyst 2960G-48 (192.168.0.10) running default setup. This connects to the PIX 506e. I've got the pix setup ready with an acl and static route to my desired 172.16.1.2 ip for the server. I just can't seem to get the switches to work for me.

I would like to be able to access the webserver from any internal server or workstation also. I just want better protection from outside by putting the webserver in a vlan on a different subnet.

Am I way off base with my goal?

This will be a webserver for a secure application I've been building. I've never setup the network side.
I would rather not bypass the HP switch because I would like to eventually add more servers to the same vlan.
Thanks for the help.

Tibby


See More: VLAN setup help or advise

Report •


#1
February 17, 2009 at 20:49:43
You accomplished the goal of better protection but you can't achive the administration you want because you need vlan routing and none of that equipment, given my brief review, supports it.

Vlan1 can't talk to vlan2 and visa versa.

I don't understand what the Catalyst is doing between the router and the vlan switch that has the servers.

Usually you put a firewall between the corp network and the web servers. You can't make a firewall out of a vlan.


Report •

#2
February 17, 2009 at 21:10:59
Am I confusing the terms vlan and dmz?
I don't suppose it will matter if vlan_1 can see vlan_2 if it is availble through the web??
"I don't understand what the Catalyst is doing between the router and the vlan switch that has the servers."
It is just there really just running the default config. It sits in the pop room with several other switches, the pix, and this is were all the workstations connect. And one gig port on the catalyst runs the hp switch with the servers attached.
"Usually you put a firewall between the corp network and the web servers. You can't make a firewall out of a vlan."
This is my first webserver. All other servers are dhcp, dns, file servers, that run internal applications via intranet.
I want the new webserver inside the firewall in a dmz to have the best protection possible. The webserver will have confidential information on it. The protection is my top priority.
Does that help clear up?

Report •

Related Solutions


Ask Question