Intervlan vs private vlan setup

Unanswered Question

I'm working on our co-location setup and I'm getting ready to make some upgrades and I'm not quite sure what the best solution is. Here is what I have now:

- a block of 32 IPs from provider

- one firewall in front of all of my devices

- one unmanaged switch connecting everything

- 3 web servers and one database server

What I would like to do is replace unmanaged switch with one 3560G switch and separate my three web servers into different VLANs or private VLANs. Database would have to be accessed from all of those three servers. My question is what would be a better solution: separating everything using VLANs and doing inter-vlan routing or using private VLANs? Down the road I plan to add another switch for redundancy. In addition I plan to replace two of the web servers with clusters behind ACE appliances. Any suggestions or recommendations would be more than welcomed.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 03/30/2009 - 12:06

George

A lot depends on the addressing. The advantage of using private vlans is that you don't have to lose addressing splitting up a subnet so you can have separate L3 vlans.

Also depending on your firewall capabilities you should look to route the web server /database vlans off the firewall (not clear from your thread whether that is what you are proposing).

Jon

jon,

thanks for your response. what do you mean by: "you should look to route the web server /database vlans off the firewall"? my firewall is currently in transparent mode - i don't route anything, i just forward any traffic outside my subent to default gataway which is IPS's router.

also, when it comes to addressing, let's say that my block from the ISP is 10.10.10.0 /27 and the IP of the ISP's router is 10.10.10.1. and if i put in place 3560 with different VLANs I want to have following:

VLAN 1 - 10.10.10.8 /29

VLAN2 - 10.10.10.16 /29

VLAN3 - 10.10.10.24 /29

Also, let's say that my switch is connected with ISP on port fa0/1 which is not part of my 3 VLANs. If I give this port IP address of 10.10.10.2 what subnet mask should it have?

thanks.

Jon Marshall Mon, 03/30/2009 - 14:41

George

What i meant was that if your web servers are being accessed from the Internet then you would ideally want to firewall these from your database server. I'm assuming your database server contains data that is

1) accessed from the web servers

2) contains information valuable to the company

If the database server is only accessed from internal clients then this is not so much of a problem.

If your firewall is in transparent mode and the web server is compromised then it is a simple matter to jump across to the database server. You can mitigate this with acl's but that is not as secure as stateful firewalling.

Addressing - so your ISP gives you a /27. If you are happy to split this up into /29's then fine but you lose addresses each time you split up the subnet. And you may well need to use a /30 to connect to the ISP.

A common setup is to use private addressing on the internal servers and then use the /27 as a whole subnet. You can then use NAT to present the internal servers to the Internet with public addressing. But with your existing setup you can't do this as you firewall is in transparent mode and the 3560 is not capable of NAT.

Jon

thanks again jon.

i get your point regarding placing a firewall between web and database servers.

now regarding inter-vlan routing, addressing and private subnet with NAT... i could definitely switch to routed mode and use NAT (i'm using asa 5510). but:

1. will that impact performace (port translation)?

2. how will that affect web servers using SSL? from what i understand SSL certificate is issued to / or in some way tied to the IP address, correct? and now all of my servers would have private addresses...

thanks again.

Actions

This Discussion