This article will guide you to create a DMZ zone using VLAN and Firewall rules on Meraki MX Security devices.
In this example, the network will be divided into 2 regions according to the example model below.
- Internal : contains client devices, not accessible from the internet, but can connect to the outside.
- DMZ : contains servers running services that allow access from the internet.
In the DMZ there is a web server, accessible by internal clients and external hosts on the internet. However, we only allow web traffic.
1. Network segmentation using VLAN:
– Go Configure > Addressing & VLANs.
– Sure Mode being set up is Routed.
– Enable VLANs if it is not enabled.
– Create VLANs Internal and DMZ.
– Make sure the port connecting to the bottom switch is configured to allow 2 VLANs, in this example VLAN 1 (Internal) is the native vlan and untag, VLAN 2 (DMZ) is tagged. Make sure the bottom switch is also configured correctly.
– Select Save Changes to save.
2. Restrict traffic between VLANs using Firewall rules:
– Go Configure > Firewall.
– Below Outbound rules, add the following rules
- Allow TCP:80 traffic from Internal VLAN to web server.
- Allow TCP:443 traffic from Internal VLAN to web server.
- Prohibit all other traffic from the Internal VLAN to the web server.
- Prohibit all traffic from DMZ VLAN to Internal VLAN.
– Select Save Changes to save.
– After completing the rules will allow:
- Internal clients and DMZ servers connect to the internet.
- Internal clients can access web resources on the web server.
– While will prevent:
- Internal clients access other resources on the web server (eg: SSH or FTP)
- DMZ servers access internal clients, unless replying.
- Internet hosts access internal clients.
– Finally, to be able to let the internet host access the web server, you need to configure port forwarding, you can see how to configure it in this article.
!!! Thank you for following the article!!!
Xem tiếp...