We are embarking on a redesign of our network architecture based on software-defined networking (SDN - Cisco Nexus 7k/9k/ACI). In the discussion we hit a dispute about whether or not to segregate application servers and DB servers into different VLANs. From a SAP perspective I am aware of the requirement/recommendation to segregate different traffic classes, e.g. backup, DB replication, app/DB, client/app traffic, on different network ports to prevent interference. Most of the design recommendations I could find left a lot of room for interpretation/speculation, thus didn't really resolve the dispute. I have very little experience with SDN and am not very sound when it comes to regulatory requirements, but in my opinion/experience (administering/designing SAP systems) the communication between app servers and DBs should be handled in one network segment (VLAN) and kept on layer 2 (no routing).
Here the arguments presented pro and con segregation: (I don't know how relevant - please comment)
pro segregation ...
Argument 1: According to current or upcoming PCI standards, DB and app are regarded as a different security category/level and therefore have to be segregated into different VLANs, with access control between these VLANs.
Argument 2: SDN rule sets will place or have to place app server IPs and DB IPs into different VLANs.
Argument 3: Segregating app servers and DBs into separate VLANs will allow better isolation from e.g. unnecessary broadcast traffic.
con segregation ...
Argument 4: The traffic between DB and app server is the most performance critical traffic. I would want to avoid any potential latency introduced by routing and/or potential traffic inspection.
Argument 5: We are running predominantly DB2 and HANA DBs and are planning as part of this change to implement DB replication and near-zero downtime operation. Reading note 1530812 containing the statement 'The graceful maintenance tool only supports one network for database client communication, virtual IP and HADR replication. A separate HADR replication network is not supported by the graceful maintenance tool. The script cannot be used in this case.', SAP clearly assumes that app server and DB IPs should sit in the same network segment/VLAN.
I would highly appreciate if someone with more detailed technical knowledge about these requirements or practical experience would comment and share some advice.
Thanks and regards,
Wolfgang Wiedemann