Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Server VLAN

Hello:

Ten years ago when I first deployed my network I only needed one subnet.   I settled on a 192 subnet at that time with ".1" being my firewall to the Internet.  As time went on all my servers came online on that subnet.   I have added additional subnets over the years.  Right now the interface for my firewall is on the VLAN for all my servers.  The network is fully switched so don't think it is a huge problem but here is my question.

Would it be better to have my servers on a VLAN that is not on the same subnet as my firewall?  I can see some pros to doing this.  Is this the best practice?

Harrison 

3 REPLIES
Hall of Fame Super Blue

Re: Server VLAN

HMidkiff wrote:

Hello:

Ten years ago when I first deployed my network I only needed one subnet.   I settled on a 192 subnet at that time with ".1" being my firewall to the Internet.  As time went on all my servers came online on that subnet.   I have added additional subnets over the years.  Right now the interface for my firewall is on the VLAN for all my servers.  The network is fully switched so don't think it is a huge problem but here is my question.

Would it be better to have my servers on a VLAN that is not on the same subnet as my firewall?  I can see some pros to doing this.  Is this the best practice?

Harrison 

Harrison

Yes it is better to have your server vlan separate from the firewall vlan. Ideally you should have a dedicated vlan for communcation between your L3 switch and your firewall. I'm assuming you have a L3 switch as you now have multiple vlans internally. It is best pratice for servers to be on their own dedicated vlan whenever you can.

Is it crtical, no it isn't but generally speaking vlans should be dedicated to a specific purpose and by having your current setup you have a vlan doing 2 things ie. containing servers and being a transit network between your L3 switch and the firewall.

Jon

Re: Server VLAN

Hi,

I think that definitely it is a best practice to have logically segmented your servers in a separate VLAN.

Also, you can further isolate the servers using Private VLANs (PVLANs)

Normally, the servers are also placed on different VLANs depending if they should be accesible from the Internet or private servers.

I guess it depends a lot on your setup.

Federico.

New Member

Re: Server VLAN

Thanks for replying.  Your post was very helpful....

398
Views
0
Helpful
3
Replies
CreatePlease to create content