Solo Technology

One of the wrinkles of all my data center time recently was a network issue.  Our colo (co-location) provider forces all their drops at 10mbit / full-duplex.  Our Symantec firewall was not properly auto-negotiating the full-duplex, thus we’re generating a lot of network errors and generally not seeing the performance boosts that the new server should show.  An all around bummer.

To solve this, we ordered a nifty little HP ProCurve switch last week.  The price was reasonable and it has all sorts of nifty bonuses.  The plan was to configure it to force a port down to 10mbit / full-duplex and just put it between our firewall and the NOC network, thus eliminating the errors.

Then I realized it offered support for vLAN.  Virtual Lans are fun, you can “carve up” a switch to service multiple network segments.  A goofy idea popped up…

Oh, quick back story comment:  While we have a gigabit backbone for the servers, it is a cheap ($30′ish) 5 port switch.  Consumer grade, really.  Granted, it has been doing the job just fine — I’m not complaining.

So ports 1 and 2 of the new switch are one virtual lan.  Port 2 is forced to 10 / FD and is for the NOC network.  Port 1 connects to the firewall appliance.  Then, ports 3-8 are another vLAN and represent the “inner” network.  Makes sense right?  And before the security wonks start waving their arms: We made sure that the switch management can only happen from the inner segment.

Slick, huh?  I replaced the other 5 port 1Gbit switch this fancy new unit and even gained a port along the way.

Pity my successor… He’s going to look at this switch and firewall and wonder why port 2 on the switch goes to the firewall WAN port and port 3 on the switch goes to the firewall’s LAN port.  If you can visualize that, you’ll be chuckling too — if you didn’t know about the vLAN it looks damned odd!

I suppose I better document the dang thing, but it’s fun to picture the look on someone’s face.

Leave a Reply