Data Center Design Assistance

Unanswered Question
Mar 4th, 2010
User Badges:

We are building an infrastructure for hosting at a shared data center.  The goal is to have redundancy throughout the infrastructure.  Can someone please take a look at the rough draft design and give any feedback (good or bad)?


The goal is to have multiple clients residing on ESX with respective vlan's.  We will have two ASA5540's with multiple security contexts and customers will terminate to Cisco 3925's utilizing IPSec tunnels.


My questions are as follows:


1.  How do I utilize the front end 3750's for redundancy? Do I stack them and call it a day?

2.  Do I put my ASA's in Active/Active mode or Active/Passive mode?

3.  Should the 3925's use HSRP?


Again, any feedback is greatly appreciated.


Thank you

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 03/04/2010 - 07:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

jgorman1977 wrote:


We are building an infrastructure for hosting at a shared data center.  The goal is to have redundancy throughout the infrastructure.  Can someone please take a look at the rough draft design and give any feedback (good or bad)?


The goal is to have multiple clients residing on ESX with respective vlan's.  We will have two ASA5540's with multiple security contexts and customers will terminate to Cisco 3925's utilizing IPSec tunnels.


My questions are as follows:


1.  How do I utilize the front end 3750's for redundancy? Do I stack them and call it a day?

2.  Do I put my ASA's in Active/Active mode or Active/Passive mode?

3.  Should the 3925's use HSRP?


Again, any feedback is greatly appreciated.


Thank you


1) Yes you can stack them or simply have them as 2 separate L2 switches interconnected via a trunk. The key thing obviously is to make sure they only operate at L2 and not L3. Because you are using these switches for both the inside and outside vlans of your firewall you must not allow them to route. You should also follow standard best practices for securing these switches and be fully aware of the possible issues with vlan security -


6500 vlan security


the above whitepaper covers things such as shutting down vlan 1, changing the native vlan or indeed tagging the native vlan etc. It is for the 6500 but most of it applies to all catalyst switches.


Having separate switches for the inside and outside vlans will always be that little bit more secure. Is there a reason you want to run the inside vlan on the 3750 switches as well as your 4948 rather than just run the inside vlan on the 4948 ?


2) If you have are going to have one context per customer then active/active would utilise both firewalls more effectively.


3) Not sure why you are using separate routers for VPN termination rather than use the 5540 firewalls. It's also not clear what is acting as the default-gateways for the clients - i'm assuming the 5540s so where does HSRP come into it ?


Jon

jgorman1977 Thu, 03/04/2010 - 08:16
User Badges:

Jon,


1. Disregard my diagram. I will point the inside vlans to the 4948.
3. As I understand, we cannot terminate VPN's on the ASA5540 if they are running contexts.  Is this incorrect?  If indeed we need to terminate the VPN's on the 3925, I was going to use the HSRP virtual IP as the default gateway for the clients on the LAN.


The more and more I look at this, the more I think we are wasting money and ports using the 3750's.


Thanks for your assistance.

Jon Marshall Thu, 03/04/2010 - 08:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

jgorman1977 wrote:


Jon,


1. Disregard my diagram. I will point the inside vlans to the 4948.
3. As I understand, we cannot terminate VPN's on the ASA5540 if they are running contexts.  Is this incorrect?  If indeed we need to terminate the VPN's on the 3925, I was going to use the HSRP virtual IP as the default gateway for the clients on the LAN.


The more and more I look at this, the more I think we are wasting money and ports using the 3750's.


Thanks for your assistance.


3) Ahh yes, i forgot that. You are quite right you cannot use VPNs with multi-context. Apologies for that.


Problem with using 3925 routers as default-gateway for clients is that they are routers. So you would need to ensure clients could not route between each others vlans on the 3925 routers. You could use acls but ideally you want the default-gateways for the clients to be the firewalls not the routers so the routers should actually be placed in a DMZ where the VPNs are terminated and then from there routed to the inside by the firewalls.


This would allow you to use the firewalls to keep separate the traffic. Alternatively you could look at vrf-lite on the routers where each customer has a completely isolated routing table - not sure if 3900 routers support vrf-lite though.


Does the above make sense ?


Finally i agree that if the 3750 switches are simply for the outside vlan they are indeed overkill. 2 layer switches eg. 2960 for example would work just as well and be less expensive.


Jon

jgorman1977 Thu, 03/04/2010 - 08:59
User Badges:

Jon,


Makes perfect sense.  I think the 3925 does support vrf-lite, so that's the most likely scenario.  I think the vendor scoped the 3750 as we have a 100MB metro LAN from out HQ to the DC and they wanted to utilize the 3750.


Thanks again

Jon Marshall Thu, 03/04/2010 - 09:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

jgorman1977 wrote:


Jon,


Makes perfect sense.  I think the 3925 does support vrf-lite, so that's the most likely scenario.  I think the vendor scoped the 3750 as we have a 100MB metro LAN from out HQ to the DC and they wanted to utilize the 3750.


Thanks again


No problem, glad to have helped.


Only thing i would add about the 3750 switches is if they are the 3750 metro ethernet (3750ME) switches then these have a more fully featured QOS feature which could be useful in future. However if they aren't i agree with your point.


Jon

Adelaziz Ben Aziza Thu, 03/25/2010 - 11:17
User Badges:

I have may be the same project for building a network infrastructure for hosting in our Data Center. We are server provider and our Data Center is directly connected tou our Backbone MPLS with 2 links 10 Gbs to 2 different PE. The Goal is to have multiple Client hosting their plateform in our Data Center and most of them having there own VRF on our Backbone.


We have two ASA 5580 with 20 security context connected to 2 Cat 6509 (as 2 redundant Aggregation Switch). The goal is to use dedicated VRF (Multi VRF Lite) and FW context for each customer in coherence with their VRF on the Backbone.


How it will be possible to make this mapping between the Customer's Backbone VRF and it's Data Center VRF? and how will be the routing method between my 2 Cat 6500 and the 2 PE (Classic routing, or trunk for each VRF...)?


If i will try to export the Backbone VRFs in my Data Center, i will say that my 2 Cat 6509 will be considered as a PE!!!!!!

Actions

This Discussion