01-09-2013 03:52 AM - edited 03-03-2019 06:54 AM
Dears,
I am designing the Datacenter Network using below equipment;
1: Nexus 7K
2: Firewall (ASA or SRX 3600)
3: Nexus 5K
4: All devices uplinks are 10G
I have following 4 design options (Diagram is attached/below);
REQUIREMENTS:
I guess will Design option 2 is the best practice but i am still looking to get the Pros and Cons of each design.
Please share your ideas;
BR,
Abdul Majid Khan
Network & Security Lead Consultant
Solved! Go to Solution.
01-09-2013 04:37 AM
I'd definitely NOT recommend option 1 and 3, they would cause data plane traffic going on vPC peer links or the L3 domain, which is not recommended (page 8, vPC Data-Plane Loop Avoidance).
Option 2 is the optimal for speed, flexibility and reliability; traffic flow is also optimal compared to option 4.
Option 4 is a bit easier to implement and operate.
01-09-2013 05:05 AM
It is a good design. Having multiple SVIs on the FW means configuring the interfaces between the FW and the 5K to VLAN trunks, while access interfaces can be configured on the 7Ks.
BTW your vPC design has some errors, I've highlighted the ports that should be set to the same vPC:
01-09-2013 04:37 AM
I'd definitely NOT recommend option 1 and 3, they would cause data plane traffic going on vPC peer links or the L3 domain, which is not recommended (page 8, vPC Data-Plane Loop Avoidance).
Option 2 is the optimal for speed, flexibility and reliability; traffic flow is also optimal compared to option 4.
Option 4 is a bit easier to implement and operate.
01-09-2013 04:50 AM
Hi Dosztal,
Please remember, as mentioned;
1: I will create multiple SVIs on the Firewall (means one of the uplink to the Nexus will be dot1q sub interfaces).
So chossing Design Option2 means;
1: one 10G Uplinks to N7k is used for one (outside) vlan/zone, carring traffic from all internal zones to outside zone
2: one 10G Uplinks to the N5k is used for 16 (inside,servers, database, testing, etc) vlans/zones, carring the traffic between all 16 Internal Zones.
Will this be a good design?
Challenges with Design Option4;
1: Single uplink bandwidth will be devided accross all vlans (16 Internal + 1 outside)
2: There will be no layer 2 traffic separation between Internal and outside vlans, will it be a design concern.
3: I have to double check the IPS behaviour in such case when the same interface is used for Internal and Outside Zones.
01-09-2013 05:05 AM
It is a good design. Having multiple SVIs on the FW means configuring the interfaces between the FW and the 5K to VLAN trunks, while access interfaces can be configured on the 7Ks.
BTW your vPC design has some errors, I've highlighted the ports that should be set to the same vPC:
01-09-2013 05:20 AM
Sorry, i have modified the reply, please check the chanllenges;
01-09-2013 05:28 AM
As far as I know the IPS is able to decode the dot1q from ethernet frames to analize data information encapsulated in differents VLANs. However, I'd recommend Option 2 instead of 4. As I wrote, the only advantage of Option 4 is the simpler design.
02-17-2014 11:41 PM
Hi,
Can you provide config sample for Design 2, I am also looking for the same design to be implemented in my Network. The only changes instead of N7k, I am putting L2 SW where IPS link will be terminated and FWs are connected to L2 Sw. is it the good design pls. suggest.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide