cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6343
Views
10
Helpful
6
Replies
Highlighted

Data Center Network Design options using Nexus and Firewall

Dears,

I am designing the Datacenter Network using below equipment;

1: Nexus 7K

2: Firewall (ASA or SRX 3600)

3: Nexus 5K

4: All devices uplinks are 10G

I have following 4 design options (Diagram is attached/below);

  1. Inline Firewall with 2 uplinks
  2. Inline Firewall with Mesh uplinks
  3. Firewall on Stick with one uplink
  4. Firewall on Stick with Mesh uplinks

REQUIREMENTS:

  1. I will be running inline IPS (Juniper SRX or ASA-X Series)
  2. All the SVI/Vlans/gateways (around 12) will be configured on Firewall for any servers connecting to N5K. (like FWSM)
  3. I will create diffrent zones on the Firewall
  4. Firewall will be Active/Standby
  5. Please share reference links with suggestion
  6. Design Decision factors = speed, simplicity, flexibility, security, reliability
  7. First i need to decide whether to go with Firewall on Stick or Inline. Then i will decide whether mesh uplinks or single uplinks.

I guess will Design option 2 is the best practice but i am still looking to get the Pros and Cons of each design.

Please share your ideas;

BR,

Abdul Majid Khan

Network & Security Lead Consultant

2 ACCEPTED SOLUTIONS

Accepted Solutions
Participant

Data Center Network Design options using Nexus and Firewall

I'd definitely NOT recommend option 1 and 3, they would cause data plane traffic going on vPC peer links or the L3 domain, which is not recommended (page 8, vPC Data-Plane Loop Avoidance).

Option 2 is the optimal for speed, flexibility and reliability; traffic flow is also optimal compared to option 4.

Option 4 is a bit easier to implement and operate.

Participant

Data Center Network Design options using Nexus and Firewall

It is a good design. Having multiple SVIs on the FW means configuring the interfaces between the FW and the 5K to VLAN trunks, while access interfaces can be configured on the 7Ks.

BTW your vPC design has some errors, I've highlighted the ports that should be set to the same vPC:

6 REPLIES 6
Participant

Data Center Network Design options using Nexus and Firewall

I'd definitely NOT recommend option 1 and 3, they would cause data plane traffic going on vPC peer links or the L3 domain, which is not recommended (page 8, vPC Data-Plane Loop Avoidance).

Option 2 is the optimal for speed, flexibility and reliability; traffic flow is also optimal compared to option 4.

Option 4 is a bit easier to implement and operate.

Re: Data Center Network Design options using Nexus and Firewall

Hi Dosztal,

Please remember, as mentioned;

1: I will create multiple SVIs on the Firewall (means one of the uplink to the Nexus will be dot1q sub interfaces).

So chossing Design Option2 means;

1: one 10G Uplinks to N7k is used for one (outside) vlan/zone, carring traffic from all internal zones to outside zone

2: one 10G Uplinks to the N5k is used for 16 (inside,servers, database, testing, etc) vlans/zones, carring the traffic between all 16 Internal Zones.

Will this be a good design?

Challenges with Design Option4;

1: Single uplink bandwidth will be devided accross all vlans (16 Internal + 1 outside)

2: There will be no layer 2 traffic separation between Internal and outside vlans, will it be a design concern.

3: I have to double check the IPS behaviour in such case when the same interface is used for Internal and Outside Zones.

Participant

Data Center Network Design options using Nexus and Firewall

It is a good design. Having multiple SVIs on the FW means configuring the interfaces between the FW and the 5K to VLAN trunks, while access interfaces can be configured on the 7Ks.

BTW your vPC design has some errors, I've highlighted the ports that should be set to the same vPC:

Re: Data Center Network Design options using Nexus and Firewall

Sorry, i have modified the reply, please check the chanllenges;

Participant

Re: Data Center Network Design options using Nexus and Firewall

As far as I know the IPS is able to decode the dot1q from ethernet frames to analize data information encapsulated in differents VLANs. However, I'd recommend Option 2 instead of 4. As I wrote, the only advantage of Option 4 is the simpler design.

Beginner

Data Center Network Design options using Nexus and Firewall

Hi,

Can you provide config sample for Design 2, I am also looking for the same design to be implemented in my Network.  The only changes instead of N7k, I am putting L2 SW where IPS link will be terminated and FWs are connected to L2 Sw. is it the good design pls. suggest.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards