Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
801
Views
0
Helpful
7
Replies

Creating logical separations

visitor68
Level 4
Level 4

‎03-15-2012 05:16 PM - edited ‎03-07-2019 05:35 AM

Imagine I have a rack of servers, some are on a DMZ and some are in the internal network. They all reside in the same rack. I am being asked to provide logical separation between the servers in the DMZ and the ones in the internal network WITHOUT using VLANs.

How do I do that? What switching solution?

Thanks

Labels:
0 Helpful
7 Replies 7

darren.g
Level 5
Level 5

‎03-15-2012 05:21 PM 

ex-engineer wrote:
Imagine I have a rack of servers, some are on a DMZ and some are in the internal network. They all reside in the same rack. I am being asked to provide logical separation between the servers in the DMZ and the ones in the internal network WITHOUT using VLANs. 
How do I do that? What switching solution?
Thanks

Plug them into two sets of physically separate switches.

You *could*, theoretically, run them in different IP ranges on the same switch - but only if you don't want the switch to do routing, and only if you want a *serious* security risk (anyone who has access to a server on the DMZ could spoof an internal network IP address and compromise your network easily).

What's the objection to VLAN's? That's the easiest, most cost effective way to separate devices, and is exactly the scenario VLAN's were originally conceived to meet.

Cheers.

0 Helpful

visitor68
Level 4
Level 4
In response to darren.g

‎03-15-2012 05:30 PM

Two separate switches? No, I asked about LOGICALLY separating the servers. I didnt make the requirement, someone else did....

0 Helpful

darren.g
Level 5
Level 5
In response to visitor68

‎03-15-2012 05:36 PM 

ex-engineer wrote:
Two separate switches? No, I asked about LOGICALLY separating the servers. I didnt make the requirement, someone else did....

Well, what you're asking is impossible.

You can't logically separate segments like that without VLAN's, so go back to your someone else and tell them it can't be done.

Cheers.

0 Helpful

Matthew Blanshard
Cisco Employee
Cisco Employee
In response to darren.g

‎03-15-2012 05:48 PM

Private vlans can possibly do some of what you want to do.  I know you said no vlans but how strict is that requirement?  The vlans would be transparent to the servers but can still provide layer 2 isolation from each other.

-Matt

Please excuse typos sent from my android phone.

0 Helpful

visitor68
Level 4
Level 4
In response to Matthew Blanshard

‎03-15-2012 05:50 PM

I understand your confusion with the requirement. Its not mine. And I am just as stumped, which is why I posted on here...maybe they mean separation through VRFs or virtual contexts....?

0 Helpful

AJ Cruz
Level 3
Level 3
In response to visitor68

‎03-15-2012 06:33 PM

protected ports

The requirement doesn't say you can't segment all the PCs from each other...

0 Helpful

visitor68
Level 4
Level 4
In response to AJ Cruz

‎03-17-2012 01:38 AM

I have come to the conclusion that there is absolutely no way to logically separate traffic from different servers without using VLANs. VRFs and VDCs will provide logical separation, but at their root they utilize VLAN technology. In the world of virtual servers, like vmware, there are tools like port groups (port profiles in the Nexus 1000v) that provide logical separartion with a litany of characteristics to identify traffic types BUT they, too, use VLANs as the base technology to logically separate server traffic.

I think the requirement was poorly written and perhaps meant to say VLANS, alone, are unacceptable.

At least this is the conclusion I have drawn after discussing with my colleagues.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card