Howdy Cisco Community,
I am looking for some input to help me properly plan and elegantly design my logical network re-configuration. I'm specifcally hoping to hear from people that have done this before, not just theory based on documentation.
To start, here is some background and the environment setup. The infrastructure exists to host internet-facing web/app/db servers for various external clients. The primary focus here is to ensure client environments are isolated from one another. I inhereted the environment several years ago, so this restructuring has been a long time coming.
The equipment is as follows:
- (2) Cisco 2950 (external switching)
- (2) Cisco ASA 5520 (active/passive failover)
- (4) Cisco 3750G-48TS in stacked configuration
External ethernet internet comes in through the two 2950's, then through the ASA's and finally to the core 3750 stack. Some ~100 servers are dual-linked and trunked to diverse switches in the stack.
There is an assortment of VLAN's, but fundamentally each host is trunked to only two:
- a front-side where all web/app/db traffic operates, this includes external to internal (via ASA) for things like HTTP as well as server-to-server communication such as web to db
- a back-end management for backups and monitoring, all hosts are connected to this with no filtering
Some hosts may have a 3rd VLAN for iSCSI traffic, but this is not done over a physically seperate interface. Aside from external to internal traffic through the ASA's there is no other filtering. There is no VLAN filtering of any kind (yet)... All hosts point to the ASA for default route. Overall, host traffic is rather light (5-15% utilization) with the exception of backups.
My goals of the reconfiguration are:
- Establish several new VLANs for servers based on client/role: web/app, DB or other. I need to logically seperate the web and DB
- Each new server VLAN's will have filtering between them (ie. Client A web server can reach Client A DB server, but no Client A server can connect to Client B server). Some VLANs may have "light" internal filtering.
- Reconfigure the management VLAN with internal filtering (vlan filter). Since all hosts are connected to the management VLAN, filtering will be extensive.
- The ability to monitor internet traffic utilization by client. Right now this is done via each logical VLAN internface on the ASA. If web to db traffic starts to traverse through the ASA as well, this can pose a problem because that isn't internet bound and will skew the metrics.
My primary questions/concerns are:
- Which device should handle core routing given the plan for moderately extensive filtering, the ASA or the core stack?
- How can I anticipate the load impact of filtering on both the ASA and switching? I'm specifically worried about this on the switch stack.
- If the switch is the default route, should I trunk the ASA into all the web server VLAN's, or create a single "external access" VLAN through which all inbound/outbound traffic flows?
Thanks for reading this far, I tried to keep this as short as possible. I am leaning towards making the 3750's the default route but am very concerned about switch load and filtering in the core.
Please ask for any additional information that may be helpful and thanks in advance for your responses.