>Switches are not security devices. While it is harder to sniff packets on
>switches, you can't count on them to prevent hostile machines on the
>switch from playing games with the arp protocol. Also I believe that if
>a switch doesn't remember where a particular mac address is it will send
>the packet to all of the attached ports.
>
>
If you have 6 app servers it's just daft to stick 6 NICs in your DB
server. If absolute privacy is a concern (not mentioned by the OP),
then use a dedicated switch (or switches) for the 'private' subnet.
Even better, use SSH. But all this is over the top for 99.9% of uses
anyway. A VLAN is as private as anything else, so you can just create a
VLAN on your current switch fabric and use that. No kind of traffic on
a VLAN will hit any other VLAN. Unless of course someone has hacked
your switch, set up a mirror port, attached a sniffer or other hacked
machine to it, and is assiduously reading your traffic, in which case
you have bigger problems....
M