I appreciate that to get a proper DMZ, one should have a physical separation between the DMZ servers and the LAN servers, with a firewall server in between.
But, in a network consisting of a single Blade Enclosure containing two or more Blade servers that run multiple virtual servers, whats the closest approximation to a DMZ that could be designed?
More details: Virtual servers, mostly Windows, running in a VMWare environment on the Blade servers, and physical firewall box between the Blade enclosure and the internet.
Best Answer
Setup the switches to run "DMZ" network traffic over a vLan, and be very careful where that vLan traffic is allowed to go.
One of my sites has 1 switch, the internet traffic is plugged directly into switch port 24 (with a big sticker explaining what port 24 is stuck to the switch). The switch is configured so port 24 is vLan 20 (untagged); port 1 get's vLan 20 (tagged), it's the main router; and no other port gets that vLan's traffic. The router only has the one network connection. Is this ideal, probably not, but there's nothing wrong or insecure with the way it's setup.