Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Server Farm Firewalling

Hi,

My name is Jay Kishan and I am currently working as a network administrator in my company. We have just finished first phase of implementing Server Farm in our Data Center i.e. all servers in a different VLAN and all users in a separate VLAN. (Actually we have 6 different VLANs for users based on what floor they reside on but lets just call it a single User VLAN).

Anyways, so now my manager wants me to put a firewall in between the Server VLAN and the User VLAN. We have around 80 servers running different applications. I think that by putting a firewall in between the two VLANs will have a performance hit since the throughput required between the two VLANs is way too much for a normal firewall to support.

I just want to know the best practice the industry follows for firewalling in a server farm and the main reasons for it. I am searching for some solution myself but would really appreciate any help. As far as I could find, only critical servers are placed behind a firewall in a separate VLAN and inbound and outbound traffic for that VLAN is passed through the firewall. Also, what is the best thing to do. Place a separate hardware firewall like ASA5510 or use FWSM in Cisco 6500.

Thanks in advance.

- Jay

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Server Farm Firewalling

Hi,

My name is Jay Kishan and I am currently working as a network administrator in my company. We have just finished first phase of implementing Server Farm in our Data Center i.e. all servers in a different VLAN and all users in a separate VLAN. (Actually we have 6 different VLANs for users based on what floor they reside on but lets just call it a single User VLAN).

Anyways, so now my manager wants me to put a firewall in between the Server VLAN and the User VLAN. We have around 80 servers running different applications. I think that by putting a firewall in between the two VLANs will have a performance hit since the throughput required between the two VLANs is way too much for a normal firewall to support.

I just want to know the best practice the industry follows for firewalling in a server farm and the main reasons for it. I am searching for some solution myself but would really appreciate any help. As far as I could find, only critical servers are placed behind a firewall in a separate VLAN and inbound and outbound traffic for that VLAN is passed through the firewall. Also, what is the best thing to do. Place a separate hardware firewall like ASA5510 or use FWSM in Cisco 6500.

Thanks in advance.

- Jay

Hi Jay,

Best recoomended practice is used to have server behind the firewall, so that restricted access will be graneted via firewall on these servers,which can be achived via acl deployment on switches.But firewall will give addionalt feature for blocking with stateful inspection and stateful failovers.

The ASA supports firewalling/VPN/IPS/IDS/Content filtering so it is a fully featured security device and The FWSM is a module that goes into a 6500 chassis but it is important to note that it is only a firewall ie. it doesn't support IDS/IPS/VPN etc.

So upto your choice how want to segregate the vlan traffic using firewall.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

2 REPLIES

Re: Server Farm Firewalling

Hi,

My name is Jay Kishan and I am currently working as a network administrator in my company. We have just finished first phase of implementing Server Farm in our Data Center i.e. all servers in a different VLAN and all users in a separate VLAN. (Actually we have 6 different VLANs for users based on what floor they reside on but lets just call it a single User VLAN).

Anyways, so now my manager wants me to put a firewall in between the Server VLAN and the User VLAN. We have around 80 servers running different applications. I think that by putting a firewall in between the two VLANs will have a performance hit since the throughput required between the two VLANs is way too much for a normal firewall to support.

I just want to know the best practice the industry follows for firewalling in a server farm and the main reasons for it. I am searching for some solution myself but would really appreciate any help. As far as I could find, only critical servers are placed behind a firewall in a separate VLAN and inbound and outbound traffic for that VLAN is passed through the firewall. Also, what is the best thing to do. Place a separate hardware firewall like ASA5510 or use FWSM in Cisco 6500.

Thanks in advance.

- Jay

Hi Jay,

Best recoomended practice is used to have server behind the firewall, so that restricted access will be graneted via firewall on these servers,which can be achived via acl deployment on switches.But firewall will give addionalt feature for blocking with stateful inspection and stateful failovers.

The ASA supports firewalling/VPN/IPS/IDS/Content filtering so it is a fully featured security device and The FWSM is a module that goes into a 6500 chassis but it is important to note that it is only a firewall ie. it doesn't support IDS/IPS/VPN etc.

So upto your choice how want to segregate the vlan traffic using firewall.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

New Member

Re: Server Farm Firewalling

Thank you for your reply.

I know that putting the most critical servers behind a physical firewall is the best available option. But in many cases, like in mine, throughput problem erases this options from the list. Also, VPN/IDS/IPS options are not required in my scenario. So, I think FWSM is best suited for my situation. Anyways, I also found a very document on Cisco.com that explained a few ambiguous things. Thanks for your help.

- Jay

483
Views
1
Helpful
2
Replies
CreatePlease to create content