A way to configure DMZ zone on Ethernet Mellanox Switch

Question

Can't find any information is it possible at all and how to configure DMZ zone on Mellanox MSN2100 switch.

If I setup ACL disabling traffic from DMZ to LAN, I can't receive response to requests made from LAN to DMZ.

Is there any way I can do it?

Main reason I'm doing that is to maximize throughput to my firewall, limiting it only to connections related to internet. Otherwise, I double every connection on firewall (from LAN to proxy server in DMZ, then from proxy to WAN), cutting maximum throughput of firewall in half.

Thanks for any help.

score 1 · Accepted Answer · answered Dec 25 '19 at 13:40

ACLs are essentially stateless. Unlike on a firewall (which is usually stateful) you need to set up ACEs to filter or permit both directions.

So, you could permit replies from DMZ services only and deny everything else. To allow DNS, WWW and RDP connections from LAN to DMZ you could apply this ACL to the DMZ port on ingress:

1000 permit udp dmz/24 lan/24 eq-source 53
1010 permit tcp dmz/24 lan/24 eq-source 80
1020 permit tcp dmz/24 lan/24 eq-source 443
1030 permit tcp dmz/24 lan/24 eq-source 3389
1200 deny ip dmz/24 lan/24
9999 permit ip any any

(substitute your DMZ and LAN addresses/masks for dmz/24 and lan/24)

ACE 1200 filters all traffic from DMZ to LAN that wasn't previously permitted. ACE 9999 permits WAN traffic if that is required on that port.

A way to configure DMZ zone on Ethernet Mellanox Switch

1 Answers1