Currently we have a network that is not physically seperated but seperated using VLANS. Servers and workstations are in a VLAN, IP Phones are in a VLAN. We host a web application for our customers and we would like to seperate the servers that host the web app from the rest of the devices physically. We were thinking about putting a router in between the customer facing servers and the rest of the backoffice enviroment. Is there a better way of doing this? Thanks in advance.
Currently at the perimeter there are two firewalls in HA fail over setup. those go into the core switches which all servers, and distribution switches are plugged into. A recent outage was caused by a network loop. We are using spanning tree and loop protection on the switches but the loop still effected us. We are looking for the best way to separate the networks so that if something causes an outage on one network it dosen't effect the other.
Assuming when you say separate the networks you mean the customer and your networks then the best way is physcially if you are concerned with STP loops. Depends on whether or not you have spare interfaces on your firewalls. If you are trying to protect the customer web servers i would look to use dedicated switches for these servers and connect them directly to the firewalls.
However this doesn't address your real issue which is STP loops by the sounds of it. Do you know where/how the loop was created ?.
There was someone in the help desk that setup a small unmanaged linksys switch for someone that didnt have enough network connections and when someone was moving the loop was caused at that location. I dont want to use those devices but people just keep doing things without informing us. I just want to try and seperate everything as much as possible. If the customers servers are still connected to the firewall that the rest of the network is connected to and a loop happens they would still get hit by the loop since there is common connection? Or the firewall would stop the loop? Wouldnt this be similar to a router between the networks? We are trying not to over work the firewall.
Unless your firewall is in transparent mode then yes it would stop the loop or to put it more accurately the effects of the loop would not propogate past the firewall.
But the firewall could still suffer from the number of packets in a broadcast storm. So yes you could insert a router between your internal switches and the firewalls but this may well affect the firewall failover capabilities.
The key issue is this. If your servers, firewalls, new routers etc. are still connecting into the switches that are experiencing a broadcast storm you haven't really fixed anything. So for complete isolation you need switches (redundant) and routers (redundant) between your existing firewalls and your core switches. And obviously now your IP addressing needs chanhing because you are separating your firewalls from your core switches with L3 routers.
Gets complicated and expensive. Alternatively you could look into storm control and more importantly port security to try and limit/stop help desk people creating loops.
And there is the non-technical aspect that you need to address. Might sound severe but help desk people need to understand that network connectivity is not their area of responsibility. If you have customers that buy a service off you and they lose connectivity because a non-network person has accidentally created a loop they, the help desk personnel, need to be made aware of the consequences.
I appreciate it's easier said than done but do you really want to be redesigning a large part of your network at considerable expense rather than lock down your existing network both with technology (port security, storm control, shut down inactive ports etc.) and better procedures.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...