Design Question About Deploying Data Center Services

Unanswered Question
May 17th, 2008
User Badges:
  • Blue, 1500 points or more

With a 3-tiered server farm, including routed access and distribution layers, I have 2 questions:

1.) Would I still be able to deploy network services, such as server load balancing, inter-vlan firewalling, ssl offloading, etc, at the distro layer? In other words, would the L3 isolation provided by the routed access layer preempt the possibility of deploying those services at the distribution layer? It seems to me that the answer is yes -- it would preempt, but please give a detailed explanation as to why not.

2.) Deploying those services would only makes sense at the distribution layer, correct? Correct me if Im wrong, but given the limitations of a routed access layer, such as the inability to span a vlan across a switch cluster, plus given the fact that you want those services appliances/modules to span across the data center and support all server farm switch clusters in the first place, the answer to me is that they must be deployed at the routed distribution layer (probably with a SWITCHED access layer....going back to question 1).

I welcome and appreciate everyone's input, but this really sounds like a Jon Marshall set of questions! :-)


Victor Lama

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Sat, 05/17/2008 - 11:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Victor

You know there are a lot more people than just me capable of answering these questions right ?


To answer both at the same time. You have put your finger on why a routed access-layer in a data centre when deploying services in the distro layer is not always a good idea.

I think a routed access-layer in the campus/building environment is a very valid choice and indeed our support guys where i work have said they find it very easy to troubleshoot a L3 setup like this. It also has the advantages of no STP etc. but we covered all these before and i know i am preaching to the converted here :-).

But in the data centre it is a different thing altogther.

For example if you wanted to run your firewall in transparent mode then you cannot deploy in the distro layer with L3 in access.

The same goes for running your load-balancing in bridged mode, this won't work across L3 routed links.

Now you could run your firewalling in routed mode and your load-balancing in routed mode but why cut down on your options. When you design a data centre you are looking for redundancy/scalability and flexibility. You may not need a transparent firewall setup now but you may in future.

To give an example of the sort of things you need to think about

the CSM/CSM-S support something called RRI where they can inject routes in the routing table dependant on whether VIP's are available or not. But you can only use this if the CSM is L2 adjacent to the MSFC. Now if you need to firewall access to the VIP you can only use the firewall in transparent mode because if it was in routed mode your CSM is not L2 adjacent to the MSFC.

A small example but one that gives you an idea of the things that need to be taken into account.

So if you built a L3 routed access-layer and then later needed RRI you now have to deploy services into the access-layer. You can do this but it's not exactly scalable. What happens if you need the same setup in another part of your access-layer. Starts getting expensive !!.

I still am of the opinion that L2 in the access-layer in a data centre gives far more flexibility and servers in data centre often need the flexibility that clients in a campus do not.

I am always worried that if i design a L3 data centre i am going to get caught out further down the line. Mind you there is nothing to say you cannot have a mixture of L2/L3 from the access-layer.


lamav Sat, 05/17/2008 - 13:10
User Badges:
  • Blue, 1500 points or more

Jon, that was awesome, dude! Exactly what I was looking for. And I happen to agree with you 100%.

I am probing because I had a discussion yesterday with 2 seasoned engineers in which I had to "defend" a design that deployed a switched access layer. They didn't seem to get it when I explained to them that the switched access layer was deployed to preserve layer 2 adjacency which is needed to support data center server farm services at the distro layer.

Dont get me wrong, they didnt debate it at all. They just seemed puzzled and it made me wonder if designs that support routed access layers AS WELL AS data center services at a routed distro layer are common. I think they are not.

By the way, I know there are plenty of people on here who are very experience and I would love to hear from them...I usually dont, though.




This Discussion