Server VLAN

Unanswered Question
May 3rd, 2010

Hello:

Ten years ago when I first deployed my network I only needed one subnet.   I settled on a 192 subnet at that time with ".1" being my firewall to the Internet.  As time went on all my servers came online on that subnet.   I have added additional subnets over the years.  Right now the interface for my firewall is on the VLAN for all my servers.  The network is fully switched so don't think it is a huge problem but here is my question.

Would it be better to have my servers on a VLAN that is not on the same subnet as my firewall?  I can see some pros to doing this.  Is this the best practice?

Harrison 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 05/03/2010 - 12:53

Hi,

I think that definitely it is a best practice to have logically segmented your servers in a separate VLAN.

Also, you can further isolate the servers using Private VLANs (PVLANs)

Normally, the servers are also placed on different VLANs depending if they should be accesible from the Internet or private servers.

I guess it depends a lot on your setup.

Federico.

Jon Marshall Mon, 05/03/2010 - 12:53

HMidkiff wrote:

Hello:

Ten years ago when I first deployed my network I only needed one subnet.   I settled on a 192 subnet at that time with ".1" being my firewall to the Internet.  As time went on all my servers came online on that subnet.   I have added additional subnets over the years.  Right now the interface for my firewall is on the VLAN for all my servers.  The network is fully switched so don't think it is a huge problem but here is my question.

Would it be better to have my servers on a VLAN that is not on the same subnet as my firewall?  I can see some pros to doing this.  Is this the best practice?

Harrison 

Harrison

Yes it is better to have your server vlan separate from the firewall vlan. Ideally you should have a dedicated vlan for communcation between your L3 switch and your firewall. I'm assuming you have a L3 switch as you now have multiple vlans internally. It is best pratice for servers to be on their own dedicated vlan whenever you can.

Is it crtical, no it isn't but generally speaking vlans should be dedicated to a specific purpose and by having your current setup you have a vlan doing 2 things ie. containing servers and being a transit network between your L3 switch and the firewall.

Jon

Actions

This Discussion