Re: Network design recommendation

collintheseira · ‎10-12-2010

Hello,

I am designing a small datacenter that will host several websites. My goal is to come up with a design that provides high availability inbound route using multiple ISPs for HA. It would be great if someone with some network design background can review my design and make the appropriate recommendation for the rotuer.

FYI - I am working two ISPs today and both ISPs are brining in their own managed router. The first ISP is using a Cisco 7209 with a single GigE card and the second ISP plans to use a 7201, also with a single GigE card. I would like to connect both ISPs to mirrored switches on my network but I believe each router should have 2 GigE ports. This will allow me to cross connect the routers between the switches. Please review my design and let me know if I am on the right track.

Thanks and I appreciate any feedback on my design.

http://img.villagephotos.com/p/2007-1/1236944/datacenter.png.jpg

vmiller · ‎10-12-2010

Check your model number, the biggest 7200 is a 7206.

from the sounds of it you will not be running BGP between you and the ISPs.

My preference would be to get firewalls closer to the ISP devices.

Which NPE will be on the 7200's? This has a material impact on the number

and speed of interfaces available.

collintheseira · ‎10-12-2010

The tag on the router says it is a NPE-G1 and this may be a 7204 or 7206 VXR. Also, please clarify - are you recommending we place the mirrored firewall infront of the NLBs? So the diagram goes like --------- Internet > 2 x ISPs > Firewall (mirrored) > NLB (mirrored) > Switch (mirrored) > LAN.

FYI - I am trying to convience my ISP to install a second GigE port on their router but they claim they need a replace the router with a different model. Again, in the above design, what 72XX router will support mirrored GigE ports?

collintheseira · ‎10-12-2010

One more thing. There are currently 3 x GigE ports on the 7206 VXR router. One has a fiber connection to the ISP/Internet, the second is a GigE hand-off to our network and the third is 'unused'.

vmiller · ‎10-13-2010

Since you have 2 different ISP connections, your redundancy is pretty much resolved there.

As far as lighting off the third Gig on the 7200, Since its the providers call on how they provision

things, having a second interface on top of having 2 routers and 2 providers provides a marginal

gain at best.

As far as where firewalls go, my preference is to have them as close to the edge as reasonable.

Its a suggestion, not a mandate. The farther in to you network you place security services, the more you have

to harden the devices on the outside of the firewalls.

collintheseira · ‎10-13-2010

Thanks again and the firewall recommendation makes sense.

With regards to the ISPs, if you look at the original design below, the blue connections establishes a physcial redundant link between each ISP and the switches. If we remove the 'blue' connections from each ISP, than we will only have 1 connection from each ISP to a single switch (see Modified design link). The second design introduces a single point of failure.

For clarification, we initially planned to setup the ISPs as primary and secondary providers, not load balancing. The ISPs will advertise their BGP priority and they also agreed to have the routers establish HSRP with each other. What other option can we implement if we want to implement a fully redundant physical and logical path between our office to the Internet? Keep in mind we want to remove all single points of failures in our design.

Original design:

http://img.villagephotos.com/p/2007-1/1236944/datacenter.png.jpg

Modified design:

http://villagephotos.com/members/image.aspx?i=26782718

Thanks again.

vmiller · ‎10-14-2010

Your diagram is a little hard to see online. (Not your problem).

If the ISPs are unwilling to provision the extra physical link, then you are stuck

with that as a design constraint. The fact that they are willing to do HSRP does

give you a measure of redundancy.

collintheseira · ‎10-14-2010

Thanks again and I appreciate your help.