[180109] in North American Network Operators' Group
Re: Help Needed Segmenting Existing Network with Sophos UTM Cisco
daemon@ATHENA.MIT.EDU (Sina Owolabi)
Sat May 23 13:36:22 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <CABqQ-Otp993Ua+EvXnhPXi8NHGSTzUpnZq+vSJD1cVqKjP8uHQ@mail.gmail.com>
From: Sina Owolabi <notify.sina@gmail.com>
Date: Sat, 23 May 2015 17:36:18 +0000
To: olushile akintade <olushile@gmail.com>,
"nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Diagramming is a little difficult right now, but think of the current
state as router-on-a-stick without VLANs, that needs to have VLANs setup.
On Sat, May 23, 2015, 6:57 AM olushile akintade <olushile@gmail.com> wrote:
> Can you provide a quick diagram with the current subnet and traffic path?
> On Fri, May 22, 2015 at 7:51 PM Sina Owolabi <notify.sina@gmail.com>
> wrote:
>
>> Hi!
>>
>>
>> I am in a bit of a planning and implementation quandary and I'm hoping
>> to solicit implementation assistance on an already existing network
>> which needs to have segmentation and security.
>>
>> I have only remote access to the network which comprises a number of
>> Red Hat Linux 6-based hypervisor servers (hosting a multiplicity of
>> virtual machines in different networks), a Sophos UTM gateway device
>> (specifically ASG220) serving as a router, and two Cisco Catalyst 2960
>> switches (one on the internet side of the UTM gateway, and the other
>> allowing access to the UTM from the RHEL6 hypervisors).
>>
>>
>> There are a number of subnets defined on both the hypervisors and the
>> virtual machines, all using the Sophos UTM as their gateway to each
>> other, and to the internet. My task is to properly segregate access
>> and traffic between the devices, which do not have VLANs defined on
>> them. Remotely.
>>
>> My question is, can I create VLANs, and their trunk ports on the 2960
>> switches (especially on the LAN switch) that will segregate traffic
>> between the networks defined on the UTM, the hypervisors and their
>> guest machines, without causing network downtime?
>>
>> Is it best to attack the switches first, creating the VLANs there,
>> before implementing VLANs on the UTM and the hypervisors?
>>
>> I would be grateful for any planning assistance. The data center is a
>> long way away, and any downtime will be catastrophic.
>>
>>
>> Thanks in advance!
>>
>