Solved

Cisco ASA and data center design

Posted on 2010-08-28
9
1,911 Views
Last Modified: 2012-05-10
A customer is going to be implementing a Cisco Catalyst 6506 VSS pair for their network core, which has fiber uplinks to all of their IDF closets, and connectivity to their 10-Gb data center fabric.  The data center portion is using Cisco Nexus technology, and is organized like this (simplified):

         Cat6K ---  Cat6K
            |      \    /      |
            |      /    \      |
        Nex5K      Nex5K
            |      \    /      |
            |      /    \      |
        Nex2K      Nex2K
     |||||||||||||||||||||||||||||||||||||||||||||
              servers

All of the ports on the Cat 6K's are 10-Gb, the 5K ports are 1/10-Gb, and the 2K fabric extenders provide 1-GE downlinks to the data center servers.  (These are essentially remote line cards for the Nexus 5K boxes to provide higher server density.)

The customer also has several other peripheral appliances, such as dual ASA firewalls, dual CSS load balancers, a wireless LAN controller, etc., all of which have 1-GE ports.  We need to determine the best way to integrate these into the design, since they cannot connect to the 10-Gb ports on the 6506's directly.  The two options I see are:

1) add an additional 1-GE line card to the Cat6K's (such as a WS-X6748-GE-TX), or

2) connect these appliances to the Nexus 2K fabric in the data center, along with the data center servers

Let's focus on the ASA firewalls, which form the barrier between the campus and the Internet. I believe the best design would be to add the line cards, and connect the ASA's directly to the core.  The "problem" is that they only need 7-8 GE ports, and the 6748 line card lists for $15,000.  (Cisco doesn't make an 8, 16 or even 24-port GE copper line card for these switches.)  

There is plenty of available port density on the Nexus 2K's, so connecting the ASA's to them wouldn't cost a dime, but it SEEMS to me like a questionable design to have the firewalls positioned in the data center fabric, and having all in/outbound Internet traffic traverse the data center layer 2 network.

So, what I'm asking for are specific design reasons why positioning the ASA firewalls directly off the data center fabric would be a BAD idea, and thus support purchasing the new (although expensive) line cards.  Or, justify why this wouldn't really be a problem, and maybe my concerns are unfounded.

Thank you!

0
Comment
Question by:cfan73
  • 5
  • 3
9 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 33552614
I'm not sure I have a real answer for you other than to say I've done a few data center designs and my approach would be to use the ASA 5580 which does support 10GB interfaces.  But if the customer is balking at $15k for a line card, they'd probably have a heart attack over what a 5580 costs, so my guess is that's not the ASA platform you have to work with.  Any ideas what kind of real-world throughput they're expecting over those links?  The ASA doesn't support ECLB so you won't be able to combine interfaces for more throughput.  The 5550 only supports up to a little over a Gig throughput.

I tend to agree with you in principal that I would keep the ASAs out of the Nexus layer. If you look at Cisco's validated designs for data center security they all place the ASA higher up in the architecture at the aggregation layer.  See http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/dc_sec_design.html. This may be your best support for your argument.

0
 

Author Comment

by:cfan73
ID: 33553186
Thanks for the input!  Thing is, the ASA's 5510's are already in place - this is an upgrade for their campus core and data center infrastructure.  Plus, the ASA's are serving as firewalls to/from the Internet, and not to provide the data center directly.  So, in a "typical" Cisco validated design, these would be out in some kind of Enterprise Edge block - or next best, directly connected to the core (I believe).

I need ammunition, though - hopefully specific reasons why reconfiguring the Internet edge to be hanging off of ASA's in the data center fabric could cause security concern or other types of problems.

Hopefully that helps - all input is required.
0
 

Author Comment

by:cfan73
ID: 33553201
All input is appreciated, I meant.  :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 33553591
How a bout a pair of 2960S's 24 port Gig, with 10G uplinks? The two switches can stack together, and you can have redundant 10G connections to the core VSS pair. This pair should support all of your peripheral devices with full redundency..
It doesn't sound like any single point of failure will be an option, so a pair of switches is best. 3750Xs are certainly a great option, but cost 2x more than the 2960's.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:cfan73
ID: 33554101
Thanks, lrmoore - that would certainly be an option vs. the 48-port line 67xx line cards.   Good idea...

For ammunition, though - can you help me identify potential problems or security/performance risks that might go along w/ connecting them directly the L2 data center fabric?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 33554272
I don't know of any downside
Pros:
* redundant connections
* 10G connection to core, 1G connection to ASA's with ?? bandwidth to the internet? The ASA 5510 will be the bottleneck if there is one.
* ability to setup L3 internet zone. No broadcasts will ever hit the firewalls
* $$ vs redundant blades on the core switches
* Nexus 5K does not support Layer 3 to allow creation of internet transit network

According to Cisco best practices for network design, the "internet zone" should be separated from the Core services.
you could have 1 10G link as a L2 trunk to the switch stack to support things like Wireless, guest access, etc.
you could have 1 10G link as a L3 routed interface on the core as the Internet zone l3 boundary.
0
 

Author Comment

by:cfan73
ID: 33554430
Thanks again, lrmoore - I think I'm almost there.  When mentioning "Pros" of connecting the device through the data center L2 switch fabric, you mention the ability to setup an L3 internet zone, but then later mention that the 5K does not support L3 for this purpose (as it is a pure L2 switch).  This sounds like a contradiction, so could you please clarify?  

Given the above, it would seem that the only way to prevent broadcasts (from servers in the data center, for example) from hitting the ASA firewalls would be to put their ports in a different L2 VLAN, so that the core VSS pair would provide the routing and be the L3 boundary - is this what you were suggesting?

Lastly, regarding the "Cisco best practice" of separating the Internet zone and core services, could you clarify your last two bullets?  Again, hooking the ASA's directly in the L2 data center switch fabric seems to be the opposite of this recommendation.

Thanks again - sorry if this is taking longer to sink in than it should.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 33554515
Sorry for the confusion...

Nexus 5K does not support L3, so connecting the ASA to the 5K is, IMHO, not an option.

I would create L3 routed interfaces on the VSS pair connecting to the 2960S pair. This creates a broadcast boundary without the L3 requirements.

Trunking another interface to the 2960S pair would allow for multiple VLAN's to hit the wireless controller and other devices needing to connect to the network within the data center proper.
If you need PoE for phones or other devices within the data center proper, you can opt for the PoE version of the 2960S.

Or, you could just trunk the ports to the VSS core and use the 6500 for all of the L3 vlan interfaces.
There are plenty of options is all I'm saying. What will work best for your situation only you can determine... but yes, the 6500 is the L3 boundary for everything.
0
 

Author Comment

by:cfan73
ID: 33554582
Good deal - I think that's sufficient for now.  I appreciate your help and patience!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now