03-15-2012 05:16 PM - edited 03-07-2019 05:35 AM
Imagine I have a rack of servers, some are on a DMZ and some are in the internal network. They all reside in the same rack. I am being asked to provide logical separation between the servers in the DMZ and the ones in the internal network WITHOUT using VLANs.
How do I do that? What switching solution?
Thanks
03-15-2012 05:21 PM
ex-engineer wrote:
Imagine I have a rack of servers, some are on a DMZ and some are in the internal network. They all reside in the same rack. I am being asked to provide logical separation between the servers in the DMZ and the ones in the internal network WITHOUT using VLANs.
How do I do that? What switching solution?
Thanks
Plug them into two sets of physically separate switches.
You *could*, theoretically, run them in different IP ranges on the same switch - but only if you don't want the switch to do routing, and only if you want a *serious* security risk (anyone who has access to a server on the DMZ could spoof an internal network IP address and compromise your network easily).
What's the objection to VLAN's? That's the easiest, most cost effective way to separate devices, and is exactly the scenario VLAN's were originally conceived to meet.
Cheers.
03-15-2012 05:30 PM
Two separate switches? No, I asked about LOGICALLY separating the servers. I didnt make the requirement, someone else did....
03-15-2012 05:36 PM
ex-engineer wrote:
Two separate switches? No, I asked about LOGICALLY separating the servers. I didnt make the requirement, someone else did....
Well, what you're asking is impossible.
You can't logically separate segments like that without VLAN's, so go back to your someone else and tell them it can't be done.
Cheers.
03-15-2012 05:48 PM
Private vlans can possibly do some of what you want to do. I know you said no vlans but how strict is that requirement? The vlans would be transparent to the servers but can still provide layer 2 isolation from each other.
-Matt
Please excuse typos sent from my android phone.
03-15-2012 05:50 PM
I understand your confusion with the requirement. Its not mine. And I am just as stumped, which is why I posted on here...maybe they mean separation through VRFs or virtual contexts....?
03-15-2012 06:33 PM
protected ports
The requirement doesn't say you can't segment all the PCs from each other...
03-17-2012 01:38 AM
I have come to the conclusion that there is absolutely no way to logically separate traffic from different servers without using VLANs. VRFs and VDCs will provide logical separation, but at their root they utilize VLAN technology. In the world of virtual servers, like vmware, there are tools like port groups (port profiles in the Nexus 1000v) that provide logical separartion with a litany of characteristics to identify traffic types BUT they, too, use VLANs as the base technology to logically separate server traffic.
I think the requirement was poorly written and perhaps meant to say VLANS, alone, are unacceptable.
At least this is the conclusion I have drawn after discussing with my colleagues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide