troubleshooting Question
Campus network/security design
A new customer building consists of 7-8 floors, 14-16 IDFs and an MDF split between two sides of the same floor. All equipment has already been procured, which consists of Cisco Catalyst 9K (fully Layer-3 licensed) throughout.
We had a design call with them last week, and their intended logical design was to make everything Layer 2 in this new building, pulling all routing and security back over the fiber connections across the street to Nexus 7K switches currently serving as the core for everything. (So, all VLANs/subnets would extend outside of the building back to the core across the street.)
The logic here would be that they want to have a central policy point/device through which all traffic would traverse and thus be inspected. They're aware of Cisco ISE/SGT technology, but seem at this point convinced that the best approach would be NOT to Layer 3 segment the new building, even at the core pair in the MDF.
My initial input on the call was to heavily advise Layer 3 at the building "core" (two Cisco Catalyst 9600 chassis in a logical pair), if not also to roll out a routed access design (L3 at the edge).
The guy that recommended this "all L2 in the new building" design comes from a security background, and I've seen this approach quite a bit, trying to hairpin all traffic back to a pair of firewalls. This doesn't make much sense to me from a design and scale standpoint. Maybe it'd work in smaller data centers, but for new campus building location?
I'm looking for input to either combat or support this customer design.
We had a design call with them last week, and their intended logical design was to make everything Layer 2 in this new building, pulling all routing and security back over the fiber connections across the street to Nexus 7K switches currently serving as the core for everything. (So, all VLANs/subnets would extend outside of the building back to the core across the street.)
The logic here would be that they want to have a central policy point/device through which all traffic would traverse and thus be inspected. They're aware of Cisco ISE/SGT technology, but seem at this point convinced that the best approach would be NOT to Layer 3 segment the new building, even at the core pair in the MDF.
My initial input on the call was to heavily advise Layer 3 at the building "core" (two Cisco Catalyst 9600 chassis in a logical pair), if not also to roll out a routed access design (L3 at the edge).
The guy that recommended this "all L2 in the new building" design comes from a security background, and I've seen this approach quite a bit, trying to hairpin all traffic back to a pair of firewalls. This doesn't make much sense to me from a design and scale standpoint. Maybe it'd work in smaller data centers, but for new campus building location?
I'm looking for input to either combat or support this customer design.
- If we implemented a routed design (within the building and back to the core across the street), what would we leverage for centralized policy. Would this be a Cisco ISE/SGT design?
- Do we agree that extending potentially 100 subnets/VLANs (thus, broadcast domains) outside of a 600-uesr building back to a different site would be a ridiculous risk and failure domain?
- Anything else?
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.
The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.