2

We have an environment with 4 Hyper-V servers connected through a Dell PowerConnect 2824 switch to two Cisco PIX redundant firwalls.

Right now, it all works without a VLAN, but I want to isolate some of the traffic, so I need to set a VLAN tag on a specific interface of a Virtual Machine, and then let the traffic exit the switch port with this specific VLAN tag, and get to the firewalls, but on entry to the port, it needs to be untagged, so that the firewall can process it as if it were a regular untagged packet.

So I need to let these packets go out with the VLAN tag on any of the ports, but are only allowed entry on two specific ports (at which point the VLAN tag is stripped out)

Regular untagged packets should be unaffected.

I'm not very experienced with VLANs so I wonder if this is possible. Some documentation on the switch can be found here:

http://support.dell.com/support/edocs/network/pc28xx/en/ug/html/switch.htm#wp1208025

Thanks!

andreialecu
  • 237
  • 1
  • 3
  • 9

1 Answers1

2

No. What you propose defeats the purpose of VLANing. Assuming there was a way to get this working you would lose segregation as soon as it hit the physical switch.

You can do a couple of things, all of which would require various levels of reworking your network and/or ugliness.

Access Ports

First, and probably the most simple, would be to create the VLAN and then add a second Ethernet drop from the switch to the Hyper-V box as a normal access port (untagged) and then setup a separate virtual network for this traffic. You would also have to add another interface to your firewall to connect to another normal access port on the switch and route/firewall from there.

Hybrid Trunking/Access port

You would setup a Trunk to the firewall and use a sub-interface or Virtual interface on the firewall to act on the packets tagged with the VLANs. You would then have two access ports going to the Hyper-V box one for each VLAN.

You can swap this so the Trunk is going to the Hyper-V machine and the access ports to the firewall.

Trunking all around

You can setup trunks to both the firewall and the Hyper-V box and setup the Sub-interfaces on the firewall, seperate networks on the Hyper-V box based on these VLANs.

Zypher
  • 37,405
  • 5
  • 53
  • 95
  • Thank you. You led me into the right direction. I was under the wrong impression that I couldn't create a new virtual interface on the firewall due to limitations with it, but I just tried again and it worked. I created a new DMZ on the separate VLAN and solved this in the end. – andreialecu Nov 12 '10 at 09:24