Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Cisco ASA and data center design

Posted on 2010-08-28
Medium Priority
Last Modified: 2012-05-10
A customer is going to be implementing a Cisco Catalyst 6506 VSS pair for their network core, which has fiber uplinks to all of their IDF closets, and connectivity to their 10-Gb data center fabric.  The data center portion is using Cisco Nexus technology, and is organized like this (simplified):

         Cat6K ---  Cat6K
            |      \    /      |
            |      /    \      |
        Nex5K      Nex5K
            |      \    /      |
            |      /    \      |
        Nex2K      Nex2K

All of the ports on the Cat 6K's are 10-Gb, the 5K ports are 1/10-Gb, and the 2K fabric extenders provide 1-GE downlinks to the data center servers.  (These are essentially remote line cards for the Nexus 5K boxes to provide higher server density.)

The customer also has several other peripheral appliances, such as dual ASA firewalls, dual CSS load balancers, a wireless LAN controller, etc., all of which have 1-GE ports.  We need to determine the best way to integrate these into the design, since they cannot connect to the 10-Gb ports on the 6506's directly.  The two options I see are:

1) add an additional 1-GE line card to the Cat6K's (such as a WS-X6748-GE-TX), or

2) connect these appliances to the Nexus 2K fabric in the data center, along with the data center servers

Let's focus on the ASA firewalls, which form the barrier between the campus and the Internet. I believe the best design would be to add the line cards, and connect the ASA's directly to the core.  The "problem" is that they only need 7-8 GE ports, and the 6748 line card lists for $15,000.  (Cisco doesn't make an 8, 16 or even 24-port GE copper line card for these switches.)  

There is plenty of available port density on the Nexus 2K's, so connecting the ASA's to them wouldn't cost a dime, but it SEEMS to me like a questionable design to have the firewalls positioned in the data center fabric, and having all in/outbound Internet traffic traverse the data center layer 2 network.

So, what I'm asking for are specific design reasons why positioning the ASA firewalls directly off the data center fabric would be a BAD idea, and thus support purchasing the new (although expensive) line cards.  Or, justify why this wouldn't really be a problem, and maybe my concerns are unfounded.

Thank you!

Question by:cfan73
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 18

Expert Comment

ID: 33552614
I'm not sure I have a real answer for you other than to say I've done a few data center designs and my approach would be to use the ASA 5580 which does support 10GB interfaces.  But if the customer is balking at $15k for a line card, they'd probably have a heart attack over what a 5580 costs, so my guess is that's not the ASA platform you have to work with.  Any ideas what kind of real-world throughput they're expecting over those links?  The ASA doesn't support ECLB so you won't be able to combine interfaces for more throughput.  The 5550 only supports up to a little over a Gig throughput.

I tend to agree with you in principal that I would keep the ASAs out of the Nexus layer. If you look at Cisco's validated designs for data center security they all place the ASA higher up in the architecture at the aggregation layer.  See http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/dc_sec_design.html. This may be your best support for your argument.


Author Comment

ID: 33553186
Thanks for the input!  Thing is, the ASA's 5510's are already in place - this is an upgrade for their campus core and data center infrastructure.  Plus, the ASA's are serving as firewalls to/from the Internet, and not to provide the data center directly.  So, in a "typical" Cisco validated design, these would be out in some kind of Enterprise Edge block - or next best, directly connected to the core (I believe).

I need ammunition, though - hopefully specific reasons why reconfiguring the Internet edge to be hanging off of ASA's in the data center fabric could cause security concern or other types of problems.

Hopefully that helps - all input is required.

Author Comment

ID: 33553201
All input is appreciated, I meant.  :)
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

LVL 79

Expert Comment

ID: 33553591
How a bout a pair of 2960S's 24 port Gig, with 10G uplinks? The two switches can stack together, and you can have redundant 10G connections to the core VSS pair. This pair should support all of your peripheral devices with full redundency..
It doesn't sound like any single point of failure will be an option, so a pair of switches is best. 3750Xs are certainly a great option, but cost 2x more than the 2960's.

Author Comment

ID: 33554101
Thanks, lrmoore - that would certainly be an option vs. the 48-port line 67xx line cards.   Good idea...

For ammunition, though - can you help me identify potential problems or security/performance risks that might go along w/ connecting them directly the L2 data center fabric?
LVL 79

Expert Comment

ID: 33554272
I don't know of any downside
* redundant connections
* 10G connection to core, 1G connection to ASA's with ?? bandwidth to the internet? The ASA 5510 will be the bottleneck if there is one.
* ability to setup L3 internet zone. No broadcasts will ever hit the firewalls
* $$ vs redundant blades on the core switches
* Nexus 5K does not support Layer 3 to allow creation of internet transit network

According to Cisco best practices for network design, the "internet zone" should be separated from the Core services.
you could have 1 10G link as a L2 trunk to the switch stack to support things like Wireless, guest access, etc.
you could have 1 10G link as a L3 routed interface on the core as the Internet zone l3 boundary.

Author Comment

ID: 33554430
Thanks again, lrmoore - I think I'm almost there.  When mentioning "Pros" of connecting the device through the data center L2 switch fabric, you mention the ability to setup an L3 internet zone, but then later mention that the 5K does not support L3 for this purpose (as it is a pure L2 switch).  This sounds like a contradiction, so could you please clarify?  

Given the above, it would seem that the only way to prevent broadcasts (from servers in the data center, for example) from hitting the ASA firewalls would be to put their ports in a different L2 VLAN, so that the core VSS pair would provide the routing and be the L3 boundary - is this what you were suggesting?

Lastly, regarding the "Cisco best practice" of separating the Internet zone and core services, could you clarify your last two bullets?  Again, hooking the ASA's directly in the L2 data center switch fabric seems to be the opposite of this recommendation.

Thanks again - sorry if this is taking longer to sink in than it should.
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 33554515
Sorry for the confusion...

Nexus 5K does not support L3, so connecting the ASA to the 5K is, IMHO, not an option.

I would create L3 routed interfaces on the VSS pair connecting to the 2960S pair. This creates a broadcast boundary without the L3 requirements.

Trunking another interface to the 2960S pair would allow for multiple VLAN's to hit the wireless controller and other devices needing to connect to the network within the data center proper.
If you need PoE for phones or other devices within the data center proper, you can opt for the PoE version of the 2960S.

Or, you could just trunk the ports to the VSS core and use the 6500 for all of the L3 vlan interfaces.
There are plenty of options is all I'm saying. What will work best for your situation only you can determine... but yes, the 6500 is the L3 boundary for everything.

Author Comment

ID: 33554582
Good deal - I think that's sufficient for now.  I appreciate your help and patience!

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Make the most of your online learning experience.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question