05-03-2010 12:47 PM - edited 03-06-2019 10:55 AM
Hello:
Ten years ago when I first deployed my network I only needed one subnet. I settled on a 192 subnet at that time with ".1" being my firewall to the Internet. As time went on all my servers came online on that subnet. I have added additional subnets over the years. Right now the interface for my firewall is on the VLAN for all my servers. The network is fully switched so don't think it is a huge problem but here is my question.
Would it be better to have my servers on a VLAN that is not on the same subnet as my firewall? I can see some pros to doing this. Is this the best practice?
Harrison
05-03-2010 12:53 PM
HMidkiff wrote:
Hello:
Ten years ago when I first deployed my network I only needed one subnet. I settled on a 192 subnet at that time with ".1" being my firewall to the Internet. As time went on all my servers came online on that subnet. I have added additional subnets over the years. Right now the interface for my firewall is on the VLAN for all my servers. The network is fully switched so don't think it is a huge problem but here is my question.
Would it be better to have my servers on a VLAN that is not on the same subnet as my firewall? I can see some pros to doing this. Is this the best practice?
Harrison
Harrison
Yes it is better to have your server vlan separate from the firewall vlan. Ideally you should have a dedicated vlan for communcation between your L3 switch and your firewall. I'm assuming you have a L3 switch as you now have multiple vlans internally. It is best pratice for servers to be on their own dedicated vlan whenever you can.
Is it crtical, no it isn't but generally speaking vlans should be dedicated to a specific purpose and by having your current setup you have a vlan doing 2 things ie. containing servers and being a transit network between your L3 switch and the firewall.
Jon
05-03-2010 12:53 PM
Hi,
I think that definitely it is a best practice to have logically segmented your servers in a separate VLAN.
Also, you can further isolate the servers using Private VLANs (PVLANs)
Normally, the servers are also placed on different VLANs depending if they should be accesible from the Internet or private servers.
I guess it depends a lot on your setup.
Federico.
05-03-2010 12:56 PM
Thanks for replying. Your post was very helpful....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide