Which configuration isolates the servers from each other?

Refer to the exhibit.

The web servers WS_1 and WS_2 need to be accessed by external and internal users. For
security reasons, the servers should not communicate with each other, although they are
located on the same subnet. However, the servers do need to communicate with a database
server located in the inside network. Which configuration isolates the servers from each other?

Refer to the exhibit.

The web servers WS_1 and WS_2 need to be accessed by external and internal users. For
security reasons, the servers should not communicate with each other, although they are
located on the same subnet. However, the servers do need to communicate with a database
server located in the inside network. Which configuration isolates the servers from each other?

A.
The switch ports 3/1 and 3/2 are defined as secondary VLAN isolated ports. The ports
connecting to the two firewalls are defined as primary VLAN promiscuous ports.

B.
The switch ports 3/1 and 3/2 are defined as secondary VLAN community ports. The ports
connecting to the two firewalls are defined as primary VLAN promiscuous ports.

C.
The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls are defined as
primary VLAN promiscuous ports.

D.
The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls are defined as
primary VLAN community ports.

Explanation:
Service providers often have devices from multiple clients, in addition to their own servers,
on a single Demilitarized Zone (DMZ) segment or VLAN. As security issues proliferate, it
becomes necessary to provide traffic isolation between devices, even though they may exist
on the same Layer 3 segment and VLAN. Catalyst 6500/4500 switches implement PVLANs
to keep some switch ports shared and some switch ports isolated, although all ports exist on
the same VLAN. The 2950 and 3550 support “protected ports,” which are functionality similar
to PVLANs on a per-switch basis.
A port in a PVLAN can be one of three types:
IsolateD. An isolated port has complete Layer 2 separation from other ports within the same
PVLAN, except for the promiscuous port. PVLANs block all traffic to isolated ports, except
the traffic from promiscuous ports. Traffic received from an isolated port is forwarded to only
promiscuous ports.
Promiscuous: A promiscuous port can communicate with all ports within the PVLAN,
including the community and isolated ports. The default gateway for the segment would
likely be hosted on a promiscuous port, given that all devices in the PVLAN will need to
communicate with that port.
Community: Community ports communicate among themselves and with their promiscuous
ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities,
or in isolated ports within their PVLAN.
Reference:
Configuring Private VLANs
(http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/
pvlans.html)



Leave a Reply 0

Your email address will not be published. Required fields are marked *