SAP systems are implemented as client-server frameworks built in three levels: database server level, application server level and the presentation level (front ends). Depending on the size of your SAP system, your physical network architecture may or may not reflect this three-tier framework. For example, a small system may not have separate application and database server machines (the work processes run on the same machine as the database). The system may also only have a limited number of front ends in a single subnet connected to the server machine. However, in a large SAP system, several application servers usually communicate with the database server, as well as a large number of front ends. Therefore, the physical topology of your network can vary from simple to complex.
There are several possibilities to consider when organizing your network topology. The topology can vary from a single LAN segment to multiple IP subnets. We highly recommend you install your application server and central database server on separate machines and place them in a separate subnet as indicated in the graphic below:
Separating Frontend LANs from the Server LAN
By placing your SAP system servers in a separate subnet, you increase the access control to your server LAN, thereby increasing the security level of your system.
We discourage placing SAP system servers into any existing subnet without first considering the appropriate security issues.
If you have several systems (or groups of systems) with varying security levels, then we recommend you create separate server LANs for each "group" of related systems. Determining these system "groups" and the security levels that they require, is a very individual process. We do have consultants available for assistance.