Vlan Desgins, per floor vs per dept & Layer 3 in the DC

[awilderbeast]

ok so i know were pushing layer 3 as far as we can now, down to the closest were possible...

But say i have a floor of 200 users, new design methodlogy is telling me to give that floor a vlan and have done with it. However... from a security point of view, firstly we are told its ok, you can do all your rules via ldap now and have user groups instead of IP rules. which is great for your standard users.

but what about your linux devs who run VMs, and all your marketing dept that have macs, would you guys from experience or opinion throw them in their own vlans, or use anyconnect (if cisco prosperity) to authenticate them? or any other method to authenticate them against a centralized user base to avoid using IP based rules in yoru firewalls? then only your servers have IP rules?


Next - Layer 3 in the DC:
so were pushing layer 3 all the way down to your sever farms, are any of you gusy using /31s or /30s between your DC switches and your servers? ive seen designs (dont ask me where i cant remember now) referencing this setup as the "new way", i can see the benefits...

Anyway what would you do about your VM infrastructure if your sending /30s, you cant can you, your blade chassis would have to have 1 subnet or would have to have multiple vlans.
were often reminded that vlans are not a security boundary, but you can use the subnet of a vlan to limit access to services based on src dst ip addresses still...
so do you guys put your DBs in their own vlan in the DC? our DBAs like to anyway and they authenticate against IP and SSH key and username/pass!

Food for thought anyway, been rattling around my head for a while and wanted to get opinions on how everyone else does it?
Cheers

[NetworkGroover]

Regarding DC

I haven't seen L3 all the way down to the host, but I've definitely seen L3 between your top-of-rack (ToR) and uplinked switches (/31 links).  I usually see L2 from host to ToR with a redundant first hop gateway provided by HSRP/VRRP/VARP, and then L3 routed from there.  L2 adjacency is either done within the same rack or if you need extension, something like VXLAN.