Data Center Design Implementation Help Needed

Answered Question
Mar 14th, 2008
User Badges:
  • Blue, 1500 points or more

Folks:


I need some assistance and guidance from a seasoned individual who has specific experience implementing a server farm solution that uses load balancing, firewalling and HSRP.


My questions involve the placement of the default gateway.


I would think that for traffic in the client -> server direction, it should be the following way (keep in mind an L2 access layer design):


TRAFFIC FLOW: client -> core ->server farm aggregation switch ->firewall ->load balancer ->L2 access switch -> server


...where, starting from the agg switch that receives client traffic destined for the server, the defaults should be set accordingly:


agg switch forwards all traffic destined for server subnets to the firewall's OUTSIDE interface; firewall forwards server subnet traffic to the load balancers VIP for the subnet; load balancer forwards traffic to a specific server that is part of the load-balanced group.


TRAFFIC FLOW 2: server -> access switch ->load balancer -> firewall ->agg switch -> core


...where, starting from the server and destined for the core, the defaults should be set accordingly:


server defaults to load balancer ( but what interface on the LB); load balancer defaults to firewall INSIDE interface; firewall defaults to subnet HSRP group -> traffic forwarded to core


Am I making sense? (I normally don't! LOL)


[EDIT] By the way, I realize that there are many ways to implement such a design. It can be very nuanced. What I am looking for is a few scenarios based on real-world experience.


Thank you in advance.


Victor



Correct Answer by Jon Marshall about 9 years 3 months ago

And here is the attachment...



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Fri, 03/14/2008 - 11:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Victor


As you say there are a number of ways of deploying this scenario ie. firewalled/load balanced servers and i have done 2 ways.


1) Firewall in routed mode/load balancer in bridge (L2) mode.

2) Firewall in routed mode/load balancer in "one-armed" mode.


1) i have deployed with combinations of standalone pix firewalls/local-directors/CSS11500's/FWSM's/CSM-S


2) i have deployed with FWSM's and CSM-S's.


It would help if you could let us know what the firewall and load balancers are and if you have any preferences as to whether you run the firewall in routed/transparent and the load balancer in routed/bridged/one-armed mode.


Jon

lamav Fri, 03/14/2008 - 12:13
User Badges:
  • Blue, 1500 points or more

Hey, Jon:


You know, I honestly dont have any particular preference. Ive examined this scenario a lot from a high level design approach, but dont have too much experience actually implementing it.


So, I would really need someone to educate me on what my options are, best practices and the implications fo doing things certain ways.


I know its asking a lot. But even a skeleton model with something to build on would be great.


Lets just say we are dealing with a Cisco FWSM and a CSS in a 6500 aggregation switch chassis.


HTH


Victor

lamav Fri, 03/14/2008 - 15:20
User Badges:
  • Blue, 1500 points or more

(sounds of crickets chirping)...


...hello?


Where are all the experts? :-(

Jon Marshall Fri, 03/14/2008 - 15:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Well that's a first. I actually typed over the character limit in a post so i've had to attach it as a doc.


Jon



Attachment: 
lamav Fri, 03/14/2008 - 16:15
User Badges:
  • Blue, 1500 points or more

Jon!!


I have yet to read it, but I will in a few minutes. Nonetheless, I am sure it's typical of your work and reflects you great insight -- I appreciate all the time you took to write all that.


I am really appreciative, buddy. I owe you one. If you're in NY, dinner is on me. :-)


Thanks


Victor



Jon Marshall Fri, 03/14/2008 - 16:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


No problem, pleasures all mine. I'm sure you'll have more questions !!.


If you ever get over to London let me know.


Jon

lamav Fri, 03/14/2008 - 16:32
User Badges:
  • Blue, 1500 points or more

I'm reading it now. Great stuff. And you're right -- I will ask you a few more questions. :-D


Victor



lamav Fri, 03/14/2008 - 16:47
User Badges:
  • Blue, 1500 points or more

JON:


When you get a chance... no rush. Thanks again.


My comments in blue.


Victor



Jon Marshall Fri, 03/14/2008 - 18:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


My comments in red. We can pick this up tomorrow if you have more questions :-)


Jon

Correct Answer
Jon Marshall Fri, 03/14/2008 - 18:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

And here is the attachment...



Jon Marshall Fri, 03/14/2008 - 18:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


Apologies - there is a typo in a quite critical bit in the doc.


5) The servers responds and sends the packet back to it's default-gateway ie. the FWSM server vlan interface. The FWSM then sends the packet back out onto the VIP dmz because the destination IP address is routed back to the FWSM.


The last bit should read


because the destination IP address is routed back to the CSM.



As if it wasn't confusing enough !!


Jon


lamav Sat, 03/15/2008 - 12:43
User Badges:
  • Blue, 1500 points or more

Jon:


What you wrote was awesome, dude. I really appreciat ethe detail and care you out into this.


I'll need some time to digest it all and make a mental picture so I can fully understand it.


I'll let you know in the future if I need more help.


THANK YOU!!


Victor

Actions

This Discussion