Design considerations for implementing a secure segregated VLAN

Unanswered Question
Nov 19th, 2008

We currently have all our head office servers on one VLAN (on a 6500 series core switch) and accessable from all our remote sites (connected by IPSEC VPN) and from all our head office users.

I would like to segregate some of the servers into their own "secure" VLAN - which would only be accessable from the remote sites which needed to access the servers (and only from certain users within the head office).

I'm looking for suggestions on the best way to acheive this i.e. to segregate the servers from the rest of the network and provide appropriate security etc.

Can I simply create a new VLAN for these servers, and then use an access-list to only allow access from the specific remote sites which would need connectivity with the servers, blocking everything else?

What other suggestions, design considerations should be taken into account for this type of task? Any feedback would be welcomed!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Jon Marshall Wed, 11/19/2008 - 09:42


"Can I simply create a new VLAN for these servers, and then use an access-list to only allow access from the specific remote sites which would need connectivity with the servers, blocking everything else?"

In a nutshell yes this is exactly what you would do. If all the access to the servers is from your own internal users then using acl's to control access to the servers is probably good enough. You could look to deploy a firewall if you wanted more security but that may be overkill for you.

In terms of additional considerations

1) I'm assuming a new vlan means new addressing ?. If so make sure none of the apps hosted on these servers rely on hardcoded IP addresses rather than DNS lookups.

2) Make sure that if you move some of the servers to the new vlan that any left in the existing vlan do not require L2 adjacency with servers that have moved - clustering springs to mind as an example although if you were clustering you would very probably move the entire cluster.

3) Your VPN access-lists would need updating at both ends with the new subnet details.


mitchen Wed, 11/19/2008 - 10:27


thanks, thats very helpful - and also good to know that it seems relatively straightforward to achieve!

One additional thing that just sprung to mind - once I have this set-up, I will then have certain remote sites able to access these particular servers on the new VLAN.

But other devices (i.e. on the "normal" VLAN) in head office will still be able to access the remote offices - so what's to stop someone using a remote office as a "jump point" onto my new "secure" VLAN?

e.g. if someone is able to gain control of a PC at the remote site, they could possibly then use that as a means to connect to the servers on the new VLAN? (Obviously we will have the appropriate user access privileges etc on the servers themselves so I'm perhaps just being overly cautious here!)

Is there any way to mitigate against this sort of thing happening? (As I say, it's possibly a bit of a far-fetched scenario in the first place but I just wanted to make sure I'd thought everything through - my main objective with the creation of the new VLAN is to make these servers more secure)


Jon Marshall Wed, 11/19/2008 - 10:39


It's very difficult to mitigate against this sort of thing or at least it is without spending a bit of money :-)

Perhaps you could restrict what traffic is allowed between your HQ and remote sites as to take control of a PC requires certain protocols such as RDP/PC Anywhere etc..

But often this is just not practical.

Regardless of whether you had a firewall or just acl's to protect your new server vlan the only real way to mitigate against this is by the allowed remote users using an authentication token such as SecurID and you could then use the 6500 to intercept the request and pass of to an ACS server.

But this is a lot of extra work, and even then if a user in HQ can take over a users PC in the remote site while they are logged into one of the servers they would still have circumvented it.

Put simply the best you could do is to authenticate the users but as you say the servers themselves do this. If these servers were accessed externally i may want to look into that but yours aren't.

I suspect there are others that might disagree but i think if you just put your servers on a new vlan and control with ACL's that is a lot better than what you have now.


Ryan Carretta Sat, 11/22/2008 - 14:57

As Jon previously mentioned, the simplest and most obvious way to do this would be with ACLs.

A combination of security features could make your server site network quite secure (DHCP snooping, Dynamic ARP inspection, IP Source Guard, as well as previously mentioned ACLs).

Another thing you may consider given your design requirement is the use of private vlans. A community vlan may suit your requirement well. Check this link:


This Discussion