Sperate Network

Unanswered Question
Jan 26th, 2009

Currently we have a network that is not physically seperated but seperated using VLANS. Servers and workstations are in a VLAN, IP Phones are in a VLAN. We host a web application for our customers and we would like to seperate the servers that host the web app from the rest of the devices physically. We were thinking about putting a router in between the customer facing servers and the rest of the backoffice enviroment. Is there a better way of doing this? Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Mon, 01/26/2009 - 11:21

It's difficult to say without knowing your current devices in your network.

You can go from using acl's to vrf-lite (if supported) to using a firewall device and having the customer servers on a dedicated DMZ.

Perhaps if you could let us know the current topology, network devices you have and how the customer connects to their web servers and do your internal people need access to these servers as well ?


j_Pearcy00 Mon, 01/26/2009 - 11:26

Currently at the perimeter there are two firewalls in HA fail over setup. those go into the core switches which all servers, and distribution switches are plugged into. A recent outage was caused by a network loop. We are using spanning tree and loop protection on the switches but the loop still effected us. We are looking for the best way to separate the networks so that if something causes an outage on one network it dosen't effect the other.

Jon Marshall Mon, 01/26/2009 - 11:35


Assuming when you say separate the networks you mean the customer and your networks then the best way is physcially if you are concerned with STP loops. Depends on whether or not you have spare interfaces on your firewalls. If you are trying to protect the customer web servers i would look to use dedicated switches for these servers and connect them directly to the firewalls.

However this doesn't address your real issue which is STP loops by the sounds of it. Do you know where/how the loop was created ?.


j_Pearcy00 Mon, 01/26/2009 - 11:42

There was someone in the help desk that setup a small unmanaged linksys switch for someone that didnt have enough network connections and when someone was moving the loop was caused at that location. I dont want to use those devices but people just keep doing things without informing us. I just want to try and seperate everything as much as possible. If the customers servers are still connected to the firewall that the rest of the network is connected to and a loop happens they would still get hit by the loop since there is common connection? Or the firewall would stop the loop? Wouldnt this be similar to a router between the networks? We are trying not to over work the firewall.

Jon Marshall Mon, 01/26/2009 - 12:02

"Or the firewall would stop the loop?"

Unless your firewall is in transparent mode then yes it would stop the loop or to put it more accurately the effects of the loop would not propogate past the firewall.

But the firewall could still suffer from the number of packets in a broadcast storm. So yes you could insert a router between your internal switches and the firewalls but this may well affect the firewall failover capabilities.

The key issue is this. If your servers, firewalls, new routers etc. are still connecting into the switches that are experiencing a broadcast storm you haven't really fixed anything. So for complete isolation you need switches (redundant) and routers (redundant) between your existing firewalls and your core switches. And obviously now your IP addressing needs chanhing because you are separating your firewalls from your core switches with L3 routers.

Gets complicated and expensive. Alternatively you could look into storm control and more importantly port security to try and limit/stop help desk people creating loops.

And there is the non-technical aspect that you need to address. Might sound severe but help desk people need to understand that network connectivity is not their area of responsibility. If you have customers that buy a service off you and they lose connectivity because a non-network person has accidentally created a loop they, the help desk personnel, need to be made aware of the consequences.

I appreciate it's easier said than done but do you really want to be redesigning a large part of your network at considerable expense rather than lock down your existing network both with technology (port security, storm control, shut down inactive ports etc.) and better procedures.


j_Pearcy00 Mon, 01/26/2009 - 12:33

We are not afraid to spend the money as long as it solves the problem.

Jon Marshall Mon, 01/26/2009 - 12:37


Understood and i didn't mean to suggest you shouldn't be looking at a technology solution, just that it's actually very difficult to stop internal people doing the wrong thing !!

Which is the most important to you - the customer web servers or your internal network access ?



This Discussion