Is it generally good practice to place servers in their own vlan (mid-size LAN)? I mean, yes of course its good, an additional layer of security cant hurt, but what do I really achieve... Yes I know, I achieve security, but, do the cons outweigh the pros?
For one, I cant see placing the servers behind a firewall and then open ports for the users vlan. For one, I'd need to open just about all ports (or at the very least 1 thru 1000) to properly satisfy the AD/Exchange/RCP/SMB File Server etc etc environments. Secondly, I'd need something to route between the two vlan. So say I have a network with 20 L2 switches and a single SonicWall NSA xxxx, I'd need to push ALL my Lan traffic thru the single Sonic to get to my server vlan, which would in no doubt degrade the Lan performance. Or, I could use L3 switches and route across the switches without involving Sonic, but then I cant use the firewall even I want to.
I guess I do save the servers from broadcast traffic coming from the user Vlan, some of which might be ill intend traffic, but from an IP routing prospective, I see no value... or maybe im totally wrong
What do you folks think?