VLAN passthrough security

If everything is configured exactly as depicted, attacker shouldn't be able to forge packets or otherwise reach server1 directly. It is possible to configure it securely.

But this setup still has serous flaws:

Most important, it is too complex. While it is possible to configure it like this, why purposely configuring like this? What is the intent of adding complexity, why doing things more complex than they need to be? It is sometimes said that quality of design of computer systems is measured in WTFs, the more WTFs will ask the auditor, the more unexpectedly complex the system is (i.e. less good the design); this is exactly the case, WTF is this?

Secondly, this setup introduces a point of failure which makes a system harder to diagnose and repair. Observe that failure on server1 will make server2 inaccessible, even if it is perfectly working; failure of server2 will make server1 inaccessible too, even if it is fine either. You can't really distigush these two cases. Imagine you faced a situation where you have both servers inaccessible. Which one do you think is failed? You can't give any approximate directions to diagnose and repair system early. You would need to carefully inspect everything right from the beginning, and nothing could be done remotely. This way it needs an extra unjustified maintenance. Do your client likes to pay more for that extra work, while this expense could be easily avoided (or at least made less probable) by proper network design?

Also, this setup is quite fragile. Other possible setups could justify some mistakes; this one will display breaches if a single mistake is done in non-obvious place. It is not apparent to some new employee who just faced this type of setup what should be enabled and where. You need to really carefully configure VLANs on server1, for it not to accept untagged packets from switch side. If it accepts by mistake, the setup is flawed and the condition server1 is not reachable other than through server2 doesn't holds anymore; this creates a hole for forged packets.

Finally, it has an inefficiency, that could possibly lead to DoS. It is normal to expect both links are 1Gbps. We don't know which kind of service is going to be run on server1, but for simplicity I'll depict a simplest case it has a symmetric typical traffic distribution: amount of incoming traffic approximately equal to amount of outgoing traffic. In that case, link server1-server2 will always be loaded two times more than link switch-server1. When load on the link switch-server1 exceeds only 50% of its capacity, and if all that traffic is expected to reach server1 through server2, link between servers will exceed its capacity and packets will get dropped. Also, server1 must bridge networks, it would be done by CPU; it is not very high load, but still it generates interrupts, context switches, so server1 must do some completely unneeded work. This is type of setup goverments always liked, it keeps their employees busy while not doing any useful work, just shuffle paper back and forth.

All of these problems of course go away if servers are connected in the "correct order" and without VLANs. There could be also a star-like network topology, in which case all devices (router, both servers) are connected directly to the switch, and all VLAN processing then to be done on the switch. Star-like is "kind of" free of some of these problems too; it only has described problem of link overload, but it easier to solve in this case and it is naturally easier to securely configure VLANs on a switch than to do that on the server.