I remember arbitrarily creating VLANs for internal segmentation based on server function, department, you name it. I get the concept, but I'm not really gaining much... Yay, now I get crude in/out nACLs to work with and maintain on the SVIs!
New job, inherited a network that's fairly flat ("server" network is a /23 and contains almost all of our servers) - currently on a call regarding VMWare NSX... it almost seems like with NSX, a large L2 domain would be desirable to me since FW/IPS is being applied as a wrapper around the VM (outside of the OS). This will limit broadcast traffic, and spares L3 encapsulation between servers who would traditionally be on separate L2 domains (technically less comms overhead). Also, it gets away from using a core DC FW if you have a requirement for IPS between all L3 boundaries.
I can't see why the traditional "NO BIG L2 DOMAINS!" golden rule can't be broken here. Am I wrong?
No comments:
Post a Comment