• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

LAN and DMZ on same switch

H

heyjim

Junior Member
As in the title - is it possible to have a LAN and DMZ on the same physical switch?

I'm hoping that something like this is possible?

dmz.png


We're running a SonicWALL TZ215 and Hyper-V on our server which I believe may also need tweaking with virtual switches etc?

Any help appreciated.

Thanks
 
Should be possible, you will need to have trunks setup on each port along the way as well as your server will need to support dot1q trunking.
 
RadiclDreamer said:
Should be possible, you will need to have trunks setup on each port along the way as well as your server will need to support dot1q trunking.
Click to expand...

Sounds complicated!

The public server in the DMZ will also need to be able to talk to a database server on the LAN - not sure if that complicates things or not?
 
Like RadiclDreamer said, you can do this with VLANs (802.1Q / dot1q). Depending on your requirements, that may or may not provide adequate security. Along the same lines, it also looks like you'll be hosting VMs from multiple security zones (DMZ and LAN) on the same host/hypervisor, which also has the potential to expose you to additional risk.
 
heyjim said:
Sounds complicated!

The public server in the DMZ will also need to be able to talk to a database server on the LAN - not sure if that complicates things or not?
Click to expand...

Not really, but you will need switches that support vlans and dot1q trunks. Also, is your server a true server or a desktop pc running as a server? If its a real server it will almost certainly have a network card that supports trunking.
 
Why can't you make the DMZ with Sonic wall?
Currently i run the home version of the Sophos UTM in Hyper-V and it's that VM which controls my entire network.

Although my setup is virtual i will explain it as if it was a physical PC.
1 NIC = WAN
1 NIC = LAN
1 NIC = DMZ

three separate networks, granted you need an extra NIC, this is where VLAN can save you some cash, however mine is virtual so I'm not spending any more money on NICs. Firewall rules control traffic in and out of each zone.

I find that is a much easier way than setting up VLANs and it will allow for more control as you're running the DMZ directly off a UTM. I havn't tried SonicWall, but I would have used that to create the DMZ unless you have no choice but to use VLANs or if Sonicwall doesn't have that kind of functionality.

**You would of course need a separate dedicated NIC in the hyper-v server which is dedicated to the DMZ. So you create a new virtual switch on that Hyper-V server.
 
Last edited:
Yep, our switch is 802.1Q (Netgear GS724TP).

RadiclDreamer said:
Also, is your server a true server or a desktop pc running as a server?
Click to expand...

Real server - Dell PE R710.

smakme7757 said:
Why can't you make the DMZ with Sonic wall?
Click to expand...

That was my original idea - X0 LAN & X2 DMZ. It just wasn't sure if the 2 cables coming from X0 & X2 could plug into the same switch and work?

Basically we want to have a web server (viewable to the public) and a SQL server on the LAN which holds the data.
Our end goal is to limit access to the rest of our network in the event the web server was comprimised.
 
heyjim said:
Yep, our switch is 802.1Q (Netgear GS724TP).



Real server - Dell PE R710.



That was my original idea - X0 LAN & X2 DMZ. It just wasn't sure if the 2 cables coming from X0 & X2 could plug into the same switch and work?

Basically we want to have a web server (viewable to the public) and a SQL server on the LAN which holds the data.
Our end goal is to limit access to the rest of our network in the event the web server was comprimised.
Click to expand...
Ideally you would have both networks connected to different switches, so they are physically separated.

What I would do if I was you. I would use a different subnet for the public facing services that you want in the DMZ. So you separate the networks logically, forcing packets through the SonicWall router. That in turn allows Sonicwall to filter the packets however you set it up.

For example:
172.16.0.0 = LAN
10.0.0.0 = DMZ

Define both of those networks in Sonicwall (Again, i havn't used SonicWall). Setup firewall profiles that only allow each subnet to access the WAN.

Once that is done and setup perfectly. I.e you cannot access the DMZ from the LAN nor the LAN from the DMZ. Then you can work from there if you need LAN to DMZ connectivity, say, from a maintenance machine.

You could define a specific LAN machine, for example, 172.16.0.99 and only allow that machine to access the DMZ zone using specific services. You have to keep in mind that that machine would then become the weakest link and could act as a router between the two networks.

That way should solve your problem without the need for any complex networking or extra hardware.

That would also give you lots of log data and IDS data from the SonicWall as everything will be passing through it. If an attacker gets into the webserver and launches a portscan or some sort of worm, then *hopefully* the IDS in Sonicwall will identify it and the IPS will stop it 🙂. At least that's the plan.
 
Last edited:
heyjim said:
That was my original idea - X0 LAN & X2 DMZ. It just wasn't sure if the 2 cables coming from X0 & X2 could plug into the same switch and work?
Click to expand...

Yes, using vlans, 802.1Q etc. It isn't complicated. I consider it one of the less complicated network configurations to setup. You don't even need multiple cables from the firewall if it also supports vlans.

You would create 2 sub-interfaces on the firewall (sub interfaces live on an interface IE "port 1")
Numbers here are example only.
Assign LAN to tagged vlan 100
Assign DMZ to tagged vlan 600

On the switch, set the firewall port to trunk, allow 100,600
On the virtual server switch port, trunk, allow 100,600
Any clients: "Access, untagged 100"
On the server configure the network card to support vlans, create 100 and 600. Obviously how this is done varies based on the OS. VMWare is really simple. Hyper-V varies on a bit annoying to simple depending on the version.
Inside the VM Hypervisor, attach the VM to the correct "Network"
 
imagoon said:
Or use vlans to accomplish the exact same thing with less gear.
Click to expand...
Very true!

imagoon said:
Yes, using vlans, 802.1Q etc. It isn't complicated. I consider it one of the less complicated network configurations to setup. You don't even need multiple cables from the firewall if it also supports vlans.

You would create 2 sub-interfaces on the firewall (sub interfaces live on an interface IE "port 1")
Numbers here are example only.
Assign LAN to tagged vlan 100
Assign DMZ to tagged vlan 600

On the switch, set the firewall port to trunk, allow 100,600
On the virtual server switch port, trunk, allow 100,600
Any clients: "Access, untagged 100"
On the server configure the network card to support vlans, create 100 and 600. Obviously how this is done varies based on the OS. VMWare is really simple. Hyper-V varies on a bit annoying to simple depending on the version.
Inside the VM Hypervisor, attach the VM to the correct "Network"
Click to expand...
I like this solution Imagoon. It's actually very clean and straight forward. +1
 
Last edited:
So I've found this setting which seems to allow me to create an interface and assign it to a parent interface.

sonicwall.png


Can any number be used for the VLAN tags? E.g, 1 and 2?

And I assume I could just leave the current LAN as it is and create the DMZ VLAN?
 
heyjim said:
So I've found this setting which seems to allow me to create an interface and assign it to a parent interface.

sonicwall.png


Can any number be used for the VLAN tags? E.g, 1 and 2?

And I assume I could just leave the current LAN as it is and create the DMZ VLAN?
Click to expand...

1 and 2 works. 1 is typically special however and there is the chance that garbage from another vlan could be dumped in to it if you wire / misconfigure something because 1 is normally "untagged." It is generally better to tag everything. If you don't it may not be an issue.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top