Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Creating logical separations

Imagine I have a rack of servers, some are on a DMZ and some are in the internal network. They all reside in the same rack. I am being asked to provide logical separation between the servers in the DMZ and the ones in the internal network WITHOUT using VLANs.

How do I do that? What switching solution?

Thanks

7 REPLIES
Silver

Creating logical separations

ex-engineer wrote:

Imagine I have a rack of servers, some are on a DMZ and some are in the internal network. They all reside in the same rack. I am being asked to provide logical separation between the servers in the DMZ and the ones in the internal network WITHOUT using VLANs.

How do I do that? What switching solution?

Thanks

Plug them into two sets of physically separate switches.

You *could*, theoretically, run them in different IP ranges on the same switch - but only if you don't want the switch to do routing, and only if you want a *serious* security risk (anyone who has access to a server on the DMZ could spoof an internal network IP address and compromise your network easily).

What's the objection to VLAN's? That's the easiest, most cost effective way to separate devices, and is exactly the scenario VLAN's were originally conceived to meet.

Cheers.

New Member

Creating logical separations

Two separate switches? No, I asked about LOGICALLY separating the servers. I didnt make the requirement, someone else did....

Silver

Creating logical separations

ex-engineer wrote:

Two separate switches? No, I asked about LOGICALLY separating the servers. I didnt make the requirement, someone else did....

Well, what you're asking is impossible.

You can't logically separate segments like that without VLAN's, so go back to your someone else and tell them it can't be done.

Cheers.

Cisco Employee

Creating logical separations

Private vlans can possibly do some of what you want to do.  I know you said no vlans but how strict is that requirement?  The vlans would be transparent to the servers but can still provide layer 2 isolation from each other.

-Matt

Please excuse typos sent from my android phone.

New Member

Re: Creating logical separations

I understand your confusion with the requirement. Its not mine. And I am just as stumped, which is why I posted on here...maybe they mean separation through VRFs or virtual contexts....?

Bronze

Re: Creating logical separations

protected ports

The requirement doesn't say you can't segment all the PCs from each other...

New Member

Creating logical separations

I have come to the conclusion that there is absolutely no way to logically separate traffic from different servers without using VLANs. VRFs and VDCs will provide logical separation, but at their root they utilize VLAN technology. In the world of virtual servers, like vmware, there are tools like port groups (port profiles in the Nexus 1000v) that provide logical separartion with a litany of characteristics to identify traffic types BUT they, too, use VLANs as the base technology to logically separate server traffic.

I think the requirement was poorly written and perhaps meant to say VLANS, alone, are unacceptable.

At least this is the conclusion I have drawn after discussing with my colleagues.

251
Views
0
Helpful
7
Replies