Help Needed Segmenting Existing Network with Sophos UTM Cisco Catalyst switches and RHEL6 Hypervisors
Hi! I am in a bit of a planning and implementation quandary and I'm hoping to solicit implementation assistance on an already existing network which needs to have segmentation and security. I have only remote access to the network which comprises a number of Red Hat Linux 6-based hypervisor servers (hosting a multiplicity of virtual machines in different networks), a Sophos UTM gateway device (specifically ASG220) serving as a router, and two Cisco Catalyst 2960 switches (one on the internet side of the UTM gateway, and the other allowing access to the UTM from the RHEL6 hypervisors). There are a number of subnets defined on both the hypervisors and the virtual machines, all using the Sophos UTM as their gateway to each other, and to the internet. My task is to properly segregate access and traffic between the devices, which do not have VLANs defined on them. Remotely. My question is, can I create VLANs, and their trunk ports on the 2960 switches (especially on the LAN switch) that will segregate traffic between the networks defined on the UTM, the hypervisors and their guest machines, without causing network downtime? Is it best to attack the switches first, creating the VLANs there, before implementing VLANs on the UTM and the hypervisors? I would be grateful for any planning assistance. The data center is a long way away, and any downtime will be catastrophic. Thanks in advance!
Can you provide a quick diagram with the current subnet and traffic path? On Fri, May 22, 2015 at 7:51 PM Sina Owolabi <notify.sina@gmail.com> wrote:
Hi!
I am in a bit of a planning and implementation quandary and I'm hoping to solicit implementation assistance on an already existing network which needs to have segmentation and security.
I have only remote access to the network which comprises a number of Red Hat Linux 6-based hypervisor servers (hosting a multiplicity of virtual machines in different networks), a Sophos UTM gateway device (specifically ASG220) serving as a router, and two Cisco Catalyst 2960 switches (one on the internet side of the UTM gateway, and the other allowing access to the UTM from the RHEL6 hypervisors).
There are a number of subnets defined on both the hypervisors and the virtual machines, all using the Sophos UTM as their gateway to each other, and to the internet. My task is to properly segregate access and traffic between the devices, which do not have VLANs defined on them. Remotely.
My question is, can I create VLANs, and their trunk ports on the 2960 switches (especially on the LAN switch) that will segregate traffic between the networks defined on the UTM, the hypervisors and their guest machines, without causing network downtime?
Is it best to attack the switches first, creating the VLANs there, before implementing VLANs on the UTM and the hypervisors?
I would be grateful for any planning assistance. The data center is a long way away, and any downtime will be catastrophic.
Thanks in advance!
Diagramming is a little difficult right now, but think of the current state as router-on-a-stick without VLANs, that needs to have VLANs setup. On Sat, May 23, 2015, 6:57 AM olushile akintade <olushile@gmail.com> wrote:
Can you provide a quick diagram with the current subnet and traffic path? On Fri, May 22, 2015 at 7:51 PM Sina Owolabi <notify.sina@gmail.com> wrote:
Hi!
I am in a bit of a planning and implementation quandary and I'm hoping to solicit implementation assistance on an already existing network which needs to have segmentation and security.
I have only remote access to the network which comprises a number of Red Hat Linux 6-based hypervisor servers (hosting a multiplicity of virtual machines in different networks), a Sophos UTM gateway device (specifically ASG220) serving as a router, and two Cisco Catalyst 2960 switches (one on the internet side of the UTM gateway, and the other allowing access to the UTM from the RHEL6 hypervisors).
There are a number of subnets defined on both the hypervisors and the virtual machines, all using the Sophos UTM as their gateway to each other, and to the internet. My task is to properly segregate access and traffic between the devices, which do not have VLANs defined on them. Remotely.
My question is, can I create VLANs, and their trunk ports on the 2960 switches (especially on the LAN switch) that will segregate traffic between the networks defined on the UTM, the hypervisors and their guest machines, without causing network downtime?
Is it best to attack the switches first, creating the VLANs there, before implementing VLANs on the UTM and the hypervisors?
I would be grateful for any planning assistance. The data center is a long way away, and any downtime will be catastrophic.
Thanks in advance!
The answer to this one is easy. Yes, there is very likely a series of steps, that will achieve what you want remotely. But... "The data center is a long way away, and any downtime will be catastrophic". The slightest misstep and you will be down until you arrive at the site. So do not even think about trying this. You go there and you do it at night, when the impact of a mistake is less. Regards, Baldur
Thanks Baldur. I am definitely planning on doing that. Eric, no the VMs are not all segregated, they are all blended together. You can find a 192.168 sharing the same physical host as a 10.10. I've never played with OpenVSwitch before, though. Would introducing it here lead to any further complexities? On Sat, May 23, 2015 at 8:05 PM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
The answer to this one is easy. Yes, there is very likely a series of steps, that will achieve what you want remotely. But...
"The data center is a long way away, and any downtime will be catastrophic".
The slightest misstep and you will be down until you arrive at the site. So do not even think about trying this. You go there and you do it at night, when the impact of a mistake is less.
Regards,
Baldur
participants (3)
-
Baldur Norddahl
-
olushile akintade
-
Sina Owolabi