Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


Design Question About Deploying Data Center Services

With a 3-tiered server farm, including routed access and distribution layers, I have 2 questions:

1.) Would I still be able to deploy network services, such as server load balancing, inter-vlan firewalling, ssl offloading, etc, at the distro layer? In other words, would the L3 isolation provided by the routed access layer preempt the possibility of deploying those services at the distribution layer? It seems to me that the answer is yes -- it would preempt, but please give a detailed explanation as to why not.

2.) Deploying those services would only makes sense at the distribution layer, correct? Correct me if Im wrong, but given the limitations of a routed access layer, such as the inability to span a vlan across a switch cluster, plus given the fact that you want those services appliances/modules to span across the data center and support all server farm switch clusters in the first place, the answer to me is that they must be deployed at the routed distribution layer (probably with a SWITCHED access layer....going back to question 1).

I welcome and appreciate everyone's input, but this really sounds like a Jon Marshall set of questions! :-)


Victor Lama

Hall of Fame Super Blue

Re: Design Question About Deploying Data Center Services

Hi Victor

You know there are a lot more people than just me capable of answering these questions right ?


To answer both at the same time. You have put your finger on why a routed access-layer in a data centre when deploying services in the distro layer is not always a good idea.

I think a routed access-layer in the campus/building environment is a very valid choice and indeed our support guys where i work have said they find it very easy to troubleshoot a L3 setup like this. It also has the advantages of no STP etc. but we covered all these before and i know i am preaching to the converted here :-).

But in the data centre it is a different thing altogther.

For example if you wanted to run your firewall in transparent mode then you cannot deploy in the distro layer with L3 in access.

The same goes for running your load-balancing in bridged mode, this won't work across L3 routed links.

Now you could run your firewalling in routed mode and your load-balancing in routed mode but why cut down on your options. When you design a data centre you are looking for redundancy/scalability and flexibility. You may not need a transparent firewall setup now but you may in future.

To give an example of the sort of things you need to think about

the CSM/CSM-S support something called RRI where they can inject routes in the routing table dependant on whether VIP's are available or not. But you can only use this if the CSM is L2 adjacent to the MSFC. Now if you need to firewall access to the VIP you can only use the firewall in transparent mode because if it was in routed mode your CSM is not L2 adjacent to the MSFC.

A small example but one that gives you an idea of the things that need to be taken into account.

So if you built a L3 routed access-layer and then later needed RRI you now have to deploy services into the access-layer. You can do this but it's not exactly scalable. What happens if you need the same setup in another part of your access-layer. Starts getting expensive !!.

I still am of the opinion that L2 in the access-layer in a data centre gives far more flexibility and servers in data centre often need the flexibility that clients in a campus do not.

I am always worried that if i design a L3 data centre i am going to get caught out further down the line. Mind you there is nothing to say you cannot have a mixture of L2/L3 from the access-layer.



Re: Design Question About Deploying Data Center Services

Jon, that was awesome, dude! Exactly what I was looking for. And I happen to agree with you 100%.

I am probing because I had a discussion yesterday with 2 seasoned engineers in which I had to "defend" a design that deployed a switched access layer. They didn't seem to get it when I explained to them that the switched access layer was deployed to preserve layer 2 adjacency which is needed to support data center server farm services at the distro layer.

Dont get me wrong, they didnt debate it at all. They just seemed puzzled and it made me wonder if designs that support routed access layers AS WELL AS data center services at a routed distro layer are common. I think they are not.

By the way, I know there are plenty of people on here who are very experience and I would love to hear from them...I usually dont, though.



CreatePlease login to create content