I've been tasked to design and implement the infrastructure of an organization. It has five servers with the following purposes:

- Web server: hosting the live application
- DB server: storing confidential data.
- App server: where developers perform their job.
- DB server 2: it has the same data as the other DB server.
- Test server: for playing around.

Requirements:

- Web server needs access to DB server.
- App server needs access to DB2 server.
- Test server may or may not access DB2 server (not sure about this).
- All servers need Internet connection.
- Use only a firewall, budget issues.

According to all the previous stated, I designed this scheme. Green indicates DMZ whereas red indicates VLANs.

http://i40.tinypic.com/rko906.jpg

What do you think? Is anything missing? Is the switch really needed? Could I just connect the four internal servers to the firewall, getting rid of VLANs?

it looks broadly fine. As for the switch though, it depends what firewall you have. if you can carve it up for vlans internally then you certainly *could* do without the switch, but there are so many levels of firewall out there, we couldn't say. Note though there here the notion of the "dmz" is totally arbitrary compared to the other interfaces on the firewall.

Basic design looks fine. I would not leave out the switch though, as patching on a firewall as you change network config and do testing or setup is not good practice. Firewalls are expensive. It would also be good if you could have patch panels to save switch port patching for the same reason. Remember racks, PDUs, kvm switch & cables, patch cables, etc for budget.

Kind regards
Andre