Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Server isolation

Greetings,

We are looking into isolating our servers in our data center and would

like your thoughts on the best way to approach this. We have a mesh network (MPLS) with 14 remote locations and a data center. The data center network ID is 10.10.110.0 and the servers I'd

like to isolate are in that network range (along with PCs and printers).

I'm thinking that what we would need to do is assign one of our switches

to be used just for servers, assign that switch (and the servers) IP

addresses different from the data center (like 10.10.111.x) and connect

the isolated nework with the data center via a muli-homed router. That

connection would allow us a 'choke point' that we could either set up

with a firewall or IPS.

Thanks,

Chris

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Server isolation

Chris

No problem. Didn't want to make the decision harder :-). If you have further queries later on please come back.

Jon

7 REPLIES
Hall of Fame Super Blue

Re: Server isolation

Chris

Certainly putting the servers on their own subnet makes a lot of sense and makes it much easier to apply security policies etc. What you might want to consider is leaving the servers on the 10.10.110.x network and readdressing printers/pc's as these are usually less susceptible to hard coded IP addresses within applications. Just a suggestion.

As for firewalling/IPS depends on throughput needed and current network devices in use in the data centre. Just be aware that firewalling at least introduces addtional latency so you need to factor this in. Basically just don't put the servers behind a firewall that cannot keep up with the traffic.

Jon

New Member

Re: Server isolation

Thanks for the quick reply, Jon. I too was thinking about pc/printer readdressing....it would certainly be easier. The main goal for the project would be to isolating the servers and creating a 'choke point' (while not choking ourselves). Would my assumptions be correct about needing a router to handle moving traffic between the servers and pc/printers? So, physically, it would be router (wan traffic) ==> Switch1 (servers)==> router (internal) ==> Switch2-4 (PCs/printers).

Hall of Fame Super Blue

Re: Server isolation

Chris

What type of switches are you currently using. You only need a router if you don't already have a L3 switch.

Also bear in mind that a firewall can route between subnets as well as a router although a router supports more routing protocols etc. And to complicate things even more :-), you can load a firewall feature set on a router as well !

Which devices do you currently use ?

What is the level of expertise in your company in terms of IOS vs ASA/Pix firewalls ?

Jon

New Member

Re: Server isolation

Actually, we do have a L3 switch. We're using 3560s. I've been working with ios for several years at this point, though it's one of many hats I wear;P And have worked with the old 515e pix, though that has been a couple years ago. We would actually use an IPS...currently it's in passive mode, which only provides us with alerting. Creating this choke point would allow us to put the device in in-line mode, which would allow us to remediate (drop traffic,etc, based on rulesets). Not sure if the IPS would handle any routing.

Chris

Hall of Fame Super Blue

Re: Server isolation

Chris

You could simply create a new vlan on your 3560 switch and use the 3560 to route between them. At a basic level you could use ACL's on the 3560 vlan interfaces to control traffic to the server vlan.

That is basic level security. I don't have a huge amount of experience of IPS but you may well be able to put it inline in transparent mode so the server vlan is still routed off the 3560 but the traffic has to go through the IPS to get to the servers.

Then your next step is to look at a firewall that connects to the 3560 and the 3560 then routes to the outside of the firewall. The servers are on the inside of the firewall. You would either need another switch for the servers or you could use a vlan on the 3560 but not route it on the 3560 ie. the L3 interface for the servers are on the firewall.

There are as you can see a number of options. Perhaps the best thing to begin with is to decide the level of security you need for the servers ie. would acl's on the 3560 be a good start ? and also if you are looking to purchase an additional firewall/router is there additional functionality you would need/like from the device.

That should help you narrow down your options.

Jon

New Member

Re: Server isolation

Food for thought...Thanks, Jon.

Hall of Fame Super Blue

Re: Server isolation

Chris

No problem. Didn't want to make the decision harder :-). If you have further queries later on please come back.

Jon

139
Views
0
Helpful
7
Replies