Showing results for 
Search instead for 
Did you mean: 

Data center design help

Dear All

I am designing a network and need your expert opinions for better design.


Ther are several sites which are connected through MPLS cloud. Clients from site offices come to Data center to get services which are hosted in DMZ.

Clients from intenet also comes to DMZ to get some services. Some services which internet and intranet users using are common so am planning to design only one DMZ.

1-Firewall and Core switches could be operated in cluster so both of them could be configured as single unit for HA.

2- My major problem is that for edge router I have 3945E. I wounder if i could terminate two links from service provider on one 3945E and configure other 3945E for the backup of the active router.

3- To design a single DMZ is good or should make multiple DMZ.

Please advice me how to improve this design.

2 Replies 2

Mohamed Sobair
Level 7
Level 7


Terminate the Two Links from the Service Provider into two different Routers, between these routers run HSRP or GLBP with tracking option to be the default gateway for your firewalls. between these routers also run IBGP or Static route as a Backup incase their main link to the service provider fails.  This should give you Hardware redundancy as well as Network redundancy.

Since you have both firewalls as Active/Standby, you Can't have Two DMZ Zones, the Server Farm Access Switch should have 2 redundant uplinks to the Core Switches and the DMZ Servers should terminate on these Access Switches.



Marwan ALshawi
VIP Alumni
VIP Alumni

hi Syed,

just add to mohamed's post

1- using clustering on both core and firewalls is a perfect and a recommended design however you need to make sure that you aline the active and standby devices on both ends between the clustered firewalls and the clustered core switches, if you are using Nexus as the core switches with vPC please read around connecting L3 devices to a vPC domain

2- as advised by mohamed above it is better to have differnt ISP link to each router, you can run BGP with the ISP and ask the ISP to send you only default route for Internet, configured the Internet routers, place the Internet routers LAN interfaces and firewalls outside interfaces in a shared L2 vlan using same subnet and run HSRP between the routers with a VIP to be used as the default gateways by the firewall cluster, use object tracking on the routers to watch the default route received from the ISP and associated with the HSRP track, if the active router stop receiving the default route from the ISP via BGP for whatever reason the HSRP will failover to the secondary HSRP peer, and this will be transparent to the firewall and LAN/DC side, however you need to consider how the internal networks with public IPs going to be advertised over two differnt links using differnt ISPs which is something you can discuss with you ISPs as well

3- about the DMZ it is better if you can have diffrent DMZ for internal and external users you may have differnt interfaces in the firewalls or you may use differnt virtual firewall instances as well

however if the services are the same you may be linmited to one DMZ but you need a good firewall rules to control the traffic in and out

hope this help

if helpful rate

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: