I am new to IT infrastructures and need a little help in choosing a switch. I currently have a db and web server colocated. I got the providers feed connected to the web server, which in turn is connected to the db server on a separate NIC. We now need to add another web server and I am assuming the best solution is to bring a switch into the setup. We plan on growing up to no more than 12 web servers. We offer a hosting service and stream mp3s over http, so we'll possibly introduce a NAS later on (as a file server). Everything will be connected as a single private network.
From what I have learned by reading posts on this board related to switches, here is what I think I need:
* 16 Ports (to support the 12 web servers + db server + NAS)
* 10/100 Mbps + 1 1000 (see below for comment)
* Preferrably managed (unmanaged would work fine also? no real need for rate limiting, etc.?)
* No need for Layer 3 (as im in a single network?)
The 12 web servers will be load balanced so they have an aggregate capacity of 1.2 Gbps. I would use the GE for the NAS to serve up the MP3 files to the 12 web servers.
The only other solution I can see is having my provider give me more connections on their switch. What is the most common and preferred approach? Getting more provider feeds or having your own switch?
Please let me know if this setup will work or if there are flaws. Switch recommendations would be appreciated also. Ignore price, I want something that will take care of above setup with a little bit of room for unexpected growth... nothing grossly beyond what I need. I will not have redundancy with the switch so reliability is important.
I would set up a 48 port switch with 2 vlans, one for the top and one for the bottom row. The same would work for a 24 or 16 port switch too though. Getting more (12+) cables from your provider sounds a little messy, so i would go for your own switch.
Anyways, on the first vlan, the "private" one, i would connect the db box and file server box.. Each web server would have 2 nics, with one connected to the private vlan, and one connected to the other public vlan together with the cable that connects to your provider.
So the number of ports needed is 2 per web server, plus 1 for internet + one for db + one for files(nas or whatever). This is a pretty simple setup, and will work as long as your switch works. You can get a setup with 2 switches, but then you need a lot more nics to keep everything running normally if one switch dies.
Good thing about the 2 vlans is that the db and file(nas)-server arent connected to the internet directly, thus being a little protected. Make sure the internet, db and files links are fast enough. Gigabit?
I use a couple of years old d-link switches for this (with management so that i can set up vlans and stuff). Works good.
Interesting setup. It never occured to me to isolate the db/file server by connecting it into its own private LAN on the switch. So basically, you spend more for the extra NICs on the web servers and for a switch with more ports, for a bit more security for the db/file server in return.
What if somebody breaks into the webserver, wouldn't they have access to the db/file server? Is the isolation only intended for protection against direct attacks?
Also, is it necessary to allocate an entire row of ports to the "private" lan? Wouldn't I just need 2? One for the db, one for the file server?
Last thing, wouldn't the provider cable need to be on its own special connectivity port on the switch, instead of one of the regular 48 ports?
Nevermind about allocating an entire row for the vlan, I get it now. The web servers need to be connected to it also to see the db/fs.
But I just thought about another issue. If I plan on remote managing the db + fs server then I would still be exposing the servers to the public vlan, thereby rendering the private lan ineffective. Having a DRAC card on each server will also require an additional NIC, bringing the total to 3 / server. That's a lot of ports and a whole lot of wires.
Switches dieing is uncommon, i dont see the need to buy 2 right away. If you want to be prepared, get an agreement with your DC or whatever and have them replace the switch with one already in storage if something happens.
Dividing into several vlans like i suggested isn't nessessary, but its nice for a few reasons. The traffic gets separated which is good for performance (different BD's (not really an issue anymore with todays hardware) and the fact that a public server can use 2 nics for their data, using the private one for db access and files and using the public one only for outbound data) and somewhat security since the private servers arent exposed to the public at all. Sure, if someone compromizes a public server they could move on to the private ones, but maybe by then you have detected the intrusion and can interrupt it. So it could buy you time there. After all the public servers arent the important ones (usually).
Sure, you still need a way to administer the private ones, you could go through one of the public ones most likely (with ssh or whatever). Maybe set up a little nat/pat on one of the public ones so that the private ones can download patches and stuff from the 'net too.
Just plugging everything into the same vlan would work too though, maybe this is a little too complicated?