Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20614
Views
10
Helpful
6
Replies

Data Center Network Design options using Nexus and Firewall

Go to solution
ABDUL MAJID KHAN
Level 1
Level 1

‎01-09-2013 03:52 AM - edited ‎03-03-2019 06:54 AM

Dears,

I am designing the Datacenter Network using below equipment;

1: Nexus 7K

2: Firewall (ASA or SRX 3600)

3: Nexus 5K

4: All devices uplinks are 10G

I have following 4 design options (Diagram is attached/below);

  1. Inline Firewall with 2 uplinks
  2. Inline Firewall with Mesh uplinks
  3. Firewall on Stick with one uplink
  4. Firewall on Stick with Mesh uplinks

REQUIREMENTS:

  1. I will be running inline IPS (Juniper SRX or ASA-X Series)
  2. All the SVI/Vlans/gateways (around 12) will be configured on Firewall for any servers connecting to N5K. (like FWSM)
  3. I will create diffrent zones on the Firewall
  4. Firewall will be Active/Standby
  5. Please share reference links with suggestion
  6. Design Decision factors = speed, simplicity, flexibility, security, reliability
  7. First i need to decide whether to go with Firewall on Stick or Inline. Then i will decide whether mesh uplinks or single uplinks.

I guess will Design option 2 is the best practice but i am still looking to get the Pros and Cons of each design.

Please share your ideas;

BR,

Abdul Majid Khan

Network & Security Lead Consultant

Labels:
Preview file
145 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Andras Dosztal
Level 3
Level 3

‎01-09-2013 04:37 AM

I'd definitely NOT recommend option 1 and 3, they would cause data plane traffic going on vPC peer links or the L3 domain, which is not recommended (page 8, vPC Data-Plane Loop Avoidance).

Option 2 is the optimal for speed, flexibility and reliability; traffic flow is also optimal compared to option 4.

Option 4 is a bit easier to implement and operate.

View solution in original post

Go to solution
Andras Dosztal
Level 3
Level 3
In response to ABDUL MAJID KHAN

‎01-09-2013 05:05 AM

It is a good design. Having multiple SVIs on the FW means configuring the interfaces between the FW and the 5K to VLAN trunks, while access interfaces can be configured on the 7Ks.

BTW your vPC design has some errors, I've highlighted the ports that should be set to the same vPC:

View solution in original post

6 Replies 6

Go to solution
Andras Dosztal
Level 3
Level 3

‎01-09-2013 04:37 AM

I'd definitely NOT recommend option 1 and 3, they would cause data plane traffic going on vPC peer links or the L3 domain, which is not recommended (page 8, vPC Data-Plane Loop Avoidance).

Option 2 is the optimal for speed, flexibility and reliability; traffic flow is also optimal compared to option 4.

Option 4 is a bit easier to implement and operate.

Go to solution
ABDUL MAJID KHAN
Level 1
Level 1
In response to Andras Dosztal

‎01-09-2013 04:50 AM

Hi Dosztal,

Please remember, as mentioned;

1: I will create multiple SVIs on the Firewall (means one of the uplink to the Nexus will be dot1q sub interfaces).

So chossing Design Option2 means;

1: one 10G Uplinks to N7k is used for one (outside) vlan/zone, carring traffic from all internal zones to outside zone

2: one 10G Uplinks to the N5k is used for 16 (inside,servers, database, testing, etc) vlans/zones, carring the traffic between all 16 Internal Zones.

Will this be a good design?

Challenges with Design Option4;

1: Single uplink bandwidth will be devided accross all vlans (16 Internal + 1 outside)

2: There will be no layer 2 traffic separation between Internal and outside vlans, will it be a design concern.

3: I have to double check the IPS behaviour in such case when the same interface is used for Internal and Outside Zones.

0 Helpful

Go to solution
Andras Dosztal
Level 3
Level 3
In response to ABDUL MAJID KHAN

‎01-09-2013 05:05 AM

It is a good design. Having multiple SVIs on the FW means configuring the interfaces between the FW and the 5K to VLAN trunks, while access interfaces can be configured on the 7Ks.

BTW your vPC design has some errors, I've highlighted the ports that should be set to the same vPC:

Go to solution
ABDUL MAJID KHAN
Level 1
Level 1
In response to Andras Dosztal

‎01-09-2013 05:20 AM

Sorry, i have modified the reply, please check the chanllenges;

0 Helpful

Go to solution
Andras Dosztal
Level 3
Level 3
In response to ABDUL MAJID KHAN

‎01-09-2013 05:28 AM

As far as I know the IPS is able to decode the dot1q from ethernet frames to analize data information encapsulated in differents VLANs. However, I'd recommend Option 2 instead of 4. As I wrote, the only advantage of Option 4 is the simpler design.

0 Helpful

Go to solution
Goutam Biswas
Level 1
Level 1
In response to Andras Dosztal

‎02-17-2014 11:41 PM

Hi,

Can you provide config sample for Design 2, I am also looking for the same design to be implemented in my Network.  The only changes instead of N7k, I am putting L2 SW where IPS link will be terminated and FWs are connected to L2 Sw. is it the good design pls. suggest.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents