Successfully Deploy Project Server on VMWare with Shared Infrastructure
Shared Server/Shared Internet Access Application Shared Servers (Mail Server, data server, Internet...
4
Shared Server/Shared Internet Access Application • Shared Servers (Mail Server, data server, Internet Access servers) can be access by all user groups, but the access between groups are not allowed (for the performance or security consideration) • L2 solution: Asymmetric VLAN or Traffic Segmentation • L3 solution: L3 switch + ACL to limit the access between group. Servers V2 V3 V4
-
Upload
mabel-wright -
Category
Documents
-
view
213 -
download
0
Transcript of Shared Server/Shared Internet Access Application Shared Servers (Mail Server, data server, Internet...
Shared Server/Shared Internet Access Application
• Shared Servers (Mail Server, data server, Internet Access servers) can be access by all user groups, but the access between groups are not allowed (for the performance or security consideration)
• L2 solution: Asymmetric VLAN or Traffic Segmentation
• L3 solution: L3 switch + ACL to limit the access between group.
Servers
V2 V3 V4
V2192.168.1.xGw192.168.1.1
V3192.168.1.xGw192.168.1.1
V1, Servers192.168.1.x
V1, Internet Gateway192.168.1.1
ISP V1: port 1-8Shared Server(s) or Internet Gateway
V2: port 9-16VLAN2 users (PC or hub/switch)
V3: port 17-24 VLAN3 users (PC or hub/switch)
Requirement:1. V2 and V3 can access V1 for shared
Server (with IPX, same network IP, AppleTalk, NetBEUI etc)
2. V2 and V3 can access Internet Gateway for Internet Access using same network IP.
3. No access between V2 and V3.
Traffic Segmentation Standalone
configurationConfig traffic_segmentation 1-24 forwarding_list 1-24Config traffic_segmentation 9-16 forwarding_list 1-16Config traffic_segmentation 17-24 forwarding_list 1-8,17-24
Net4192.168.4.x/24Gw192.168.4.1
• Net1 (192.168.1.x) can be accessed by Net2, Net3, Net4.
• Net2, Net3, Net4 cannot access each other
Des-3326S
Net3192.168.3.x/24Gw192.168.3.1
ServersNet1192.168.1.x/24Gw192.168.1.1
Net2192.168.2.x/24Gw192.168.2.1
L3 Switch Shared Server application
Scenario: Only shared IP network can be accessed
# create access_profile rule# permit only 192.168.1.x to be accessed by other subnet create access_profile ip destination_ip_mask 255.255.255.0 permit profile_id 10config access_profile profile_id 10 add access_id 11 ip destination_ip 192.168.1.2create access_profile ip source_ip_mask 255.255.255.0 permit profile_id 20config access_profile profile_id 20 add access_id 21 ip source_ip 192.168.1.2# permit 192.168.2.x and 192.168.3.x can access themselves.create access_profile ip source_ip_mask 255.255.255.0 destination_ip_mask 255.255.255.0 permit profile_id 30config access_profile profile_id 30 add access_id 31 ip source_ip 192.168.2.2 destination_ip 192.168.2.2config access_profile profile_id 30 add access_id 32 ip source_ip 192.168.3.2 destination_ip 192.168.3.2config access_profile profile_id 30 add access_id 33 ip source_ip 192.168.4.2 destination_ip 192.168.4.2#### other nets added here# deny others.create access_profile ip source_ip_mask 0.0.0.0 deny profile_id 40config access_profile profile_id 40 add access_id 41 ip source_ip 0.0.0.0
Rules:1. If Dest. IP=192.168.1.x, permit2. If Src. IP=192.168.1.x, permit3. If DestIP=192.168.2.x and destIP=192.168.2.x, permit4. If DestIP=192.168.3.x and SrcIP=192.168.3.x, permit5. If DestIP=192.168.4.x and SrcIP=192.168.4.x, permit6. Deny Others
Test:1. Net2 (192.168.2.x), Net3, Net4 PCs can Ping Net1 PC (192.168.1.x).2. Net2, Net3, Net4 PCs cannot ping each other.
L3 Switch Shared Server application
