Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Data Center Seperation with Security

Dear Experts,

Please help.

Current Scenario :

Data Center with

  • 35 no’s of Serverfarm switches
  • 10 no’s of Business Groups
  • Same Vlans (3 no’s)
  • No Security
  • All Business Users can access all Servers
  • If Outside Vendor Partner will access one Server, he can access other Business Group Server from that Server.

Network Architecture :

DC Network.jpg

Want to Migrate it with

  • Separatation of Network for each Business Group
  • For Each Busines Group, also separation of Application / Database / Prodcution / POC / QA Test etc.
  • Any Perticular Business users can access the servers of the said Business Group Only.
  • Normal Users can access up to Application level only , not to DB servers directly.
  • Any Vendors from outside organization can access specific server only From That Server he can not access other Business Group Server.

Can you suggest the Atchitecture for the same?



Data Center Seperation with Security

Take a look at these CVD's. Don't worry about the products that are listed, just glean the design information out of them.

You may also want to review the DISA STIGs. They won't give you design information but you can use them as a guide on how to segment the BU's and application functions.

Community Member

Data Center Seperation with Security

Dear Collin,

CVD is more related to IT infta setup.

Up to Vlan segmentation and topology for LAN is ok.

My main concern is how can I segregate logically and apply cesurity as desired (mentioned)?

I have thought simply :

  • Simply putting Firewall between Srvfrm LAN Distribution switch  (L2) and CORE.
  • All the Vlans / subinterfaces (based on Firewall Vendor) for different BUs and Services per BUs.
  • Applying Access Policy based on requirement on Firewall.

But from scalability point of view it's not feasible.

  • How many Vlans I will create on Firewall?
  • How can restrict Users (BUs based access to Servers)?

Note : Existing CORE switch cisco 4510R-E with SUP 5 -10GE is not supporting FWSM or ther service module.

Hence I need to go for physical Firewall only.

Please suggest.


Data Center Seperation with Security

I would create a separate server farm for each BU. Their default gateway would be on an ASA5585-X. Those firewalls would hang off of the core and provide filtering between the clients and each server farm. Your server farm switches still connect to the 4500, but I would move the SVI's to the ASA. That allows "open" communication between the users (ie VoIP) but firewalling the users from the BU server farms. Servers in a BU have open communication between them, but inter-BU communication would also be filtered.

Community Member

Data Center Seperation with Security

Hi, Collin Clark,

Thanks for reply.

Can yout explain in detail ?

As i understood ypu suggest to

  • create all BU's Vlan / Sub interfaces on Firewall
  • Create All Users Vlans on CORE
  • All Users will communicate with each BU's via Firewall.
  • All BU's will have DG of Firewall Vlan / SubInterface.
  • I can also create Roll based Policy using Cisco Next Gen Firewall.

Please correct if I am wrong.


Data Center Seperation with Security

You are understanding it correctly. However I don't understand your last bullet point;

  • I can also create Roll based Policy using Cisco Next Gen Firewall.

Can you elaborate on that?

Community Member

Data Center Seperation with Security

Configuring Firewall Policy based on BUs, e.g.

  • BU-1 users can access only BU-1's servers
  • BU-2 users can access only BU-2 's servers
  • System Admin can access all BUs Servers
  • Develp can access onlu Development servers
  • DB servers can be accessible from Applicaton servers only and DB admin can access DB servers.

Like wise others.

Is there any example of configuration and Architecture / design  like this please share.


Data Center Seperation with Security

You bet. The best place is Cisco's Validated Design Guides

CreatePlease to create content