Re: [nsp] design help for server farm

From: Gordon Ewasiuk (gewasiuk@gnmc.net)
Date: Wed Oct 17 2001 - 03:36:04 EDT

Next message: Barry Raveendran Greene: "RE: [nsp] opinions wanted: how is Juniper better than Cisco"
Previous message: Jonas Stenling: "Re: [nsp] opinions wanted: how is Juniper better than Cisco"
In reply to: Benjie Ko: "[nsp] design help for server farm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Hi Benjie,

Reply is in-line...

On Today, Benjie Ko wrote:

>Each customer would then want a "backdoor" link to
>make software updates/maintenance on their servers.
>Backdoor link would connect to their secondary NIC.
>We will provide PCs and switchport access on the
>"maintenance" room in our datacenter.
>What would be the ideal design for this backdoor
>network?

You could probably get by with putting all the backdoor interfaces on a
single VLAN. But I think that would mean that all those interfaces would
be accessible to the customer when he/she hooks up to backdoor network?
So Customer A might be able to see Customer B's servers...

Also, if you have more then one customer in the maintenance room at a time,
there's the possibility of sniffing the wire and capturing traffic.

Would suggest you go with Private VLANs on your "backdoor" network. Even
though it's switched, there are some nasty things a potential bad guy
could do to compromise the switch (arp flooding, spoofing, man in the
middle attacks, etc.) and thus your backdoor network. I think(?) VLANs
provide an additional layer of security... Plus you get additional bells
and whistles like ACLs for VLAN interfaces and probably some bandwidth
controls too(don't know for sure).

>Should the backdoor network be on a single
>VLAN (using private IPs) wherein all customers are
>connected or are members of this VLAN?

see above.

>Anyone care to share his/her experience on this?

We have a similar setup at this datacenter. All of our web, colo, and
dedicated servers are connected to a private "backnet" network. We use
the backnet network for similar functions (backups, patches, alternative
path to server, etc.)

All of our backnet connections are on Private VLANs. We route across an
MSFC in a Cat 6509.

Good luck,

-Gordon

--------------------------------------------------
Gordon Ewasiuk, Certifed Sun Fanatic, Winstar VHC
The REAL office number is here-----> 703.893.4901
Tired of BSODs, My Computer, and Code Red?
http://www.sun.com/solaris/binaries/
-------------------------------------------------

Next message: Barry Raveendran Greene: "RE: [nsp] opinions wanted: how is Juniper better than Cisco"
Previous message: Jonas Stenling: "Re: [nsp] opinions wanted: how is Juniper better than Cisco"
In reply to: Benjie Ko: "[nsp] design help for server farm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:20 EDT