Announcement

Collapse
No announcement yet.

Joining Data Center and office Network

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Joining Data Center and office Network

    Hi,

    Our company currently has two network locations, a Data center and an office. The Data center is split into the standard perimeter network with web servers on a DMZ and database servers on the Private. The office has workstations and a combination of web and database servers all used for internal purposes only, Exchange, SharePoint, FTP, etc.

    Were planning on establishing a VLAN connection connecting the office to the Data center and we intend to drop our office internet and use the Data Center internet connection through the VLAN.

    Im struggling with deciding if we should basically include the office network into the data center current Private network (2 subnets) or keep it as a separate network (3 Subnets). The data center techs originally designed our setup with the 2 networks but my reaction was we would want to keep things separate for security.

    What is the best practice in this situation? Security I feel is number one but VLAN dose cost extra to manage and would we be over complicating things?

    Thanks.

  • #2
    Re: Joining Data Center and office Network

    By saying VLAN, you mean VPN, right? VLAN is Virtual Local Area Network, which basically is for joining few physical LAN segments into one.

    Were planning on establishing a VPN connection connecting the office to the Data center and we intend to drop our office internet and use the Data Center internet connection through the VLAN.
    That's what it should be done. No multiple entry points to local (secure) network.

    Im struggling with deciding if we should basically include the office network into the data center current Private network (2 subnets) or keep it as a separate network (3 Subnets). The data center techs originally designed our setup with the 2 networks but my reaction was we would want to keep things separate for security.
    It'd go for 3 segment network, because:
    1) more secure
    2) more reliable (i.e. no brodcasts going trough VPN link - less traffic)
    3) more flexible (if your remote office grows you don't need to worry about ip addressing)
    Security I feel is number one but VLAN dose cost extra to manage and would we be over complicating things?
    It really depends what firewall solution you have, if it is ISA for example, it's very simple, you dont have to do much. It just works.
    Of course you can use your ISP VPN services and then it is even more simple - you just connect your routers and set routes. But all depends on already implemented solutions in your company.
    Cheers!

    Comment


    • #3
      Re: Joining Data Center and office Network

      Can you make a drawing from what you want and what equipment you have for the firewalls etc??
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: Joining Data Center and office Network

        Thanks for your help, it good to know Im thinking on the right track. Yes I did mean VPN connection, the data center techs wrote VLAN on their diagram.

        Current Setup:
        Use remote site VPN over Internet to connect office to Data Center.

        Internet -> Firewall (Cisco ASA)
        - DMZ 10.10.10.x (web servers)
        - Private 192.168.20.x (databases)

        Internet -> Firewall (ISA 2004)
        - Office Network 192.168.20.x (workstation, internal servers)


        New:
        Have dedicated VPN connection between office and Data Center.

        2 Network (VLAN) solution:
        Internet -> Firewall (Cisco ASA)
        - DMZ 10.10.10.x (web servers)
        - Private & Office Network 192.168.10.x (databases, workstation, internal servers)


        3 Network (VLAN) solution:
        Internet -> Firewall (Cisco ASA)
        - DMZ 10.10.10.x (web servers)
        - Private 192.168.10.x (databases)
        - Office Network 192.168.20.x (workstation, internal servers)


        Our Office has AD, Exchange, FTP and employee client VPN through ISA. Data Center doesn't use AD. We're still figuring out if we need to move any servers from office to DMZ segments. We will probably keep the ISA firewall to use for employee VPN as it gives us better control over each user.

        The extra cost I mention for VLAN is because were having the data center manage the firewalls for us as no one here has much Cisco experienced and they charge per VLAN. But were willing to accept the cost of 3 VLANs.

        Thanks agian for you help.

        Comment

        Working...
        X