Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
227
Views
0
Helpful
2
Replies

Campus/Data Center Design Performance Question

Terence Lockette
Level 1
Level 1

‎08-13-2015 10:23 AM - edited ‎03-08-2019 01:21 AM

Hello,

I have attached a diagram for the design that we're in the process of migrating to. My Security Admin wants to add a pair of ASAs running in HA to filter traffic between the campus and data center.  He's looking at the 5585 which will require the links connecting to the ASAs to be 10G links.  My question is will there be a performance impact by adding 2 additional firewalls between the campus network and data center network?  Would we get better performance if we just used ACLs at the campus core to filter traffic?  I know the Cisco rule is to not have ACLs at the core or anything that will slow down the backbone.  However, there's no distribution layer but perhaps ACLs can  be applied down to the access layer.  Any thoughts on this???

 

Regards,

Terence

Labels:
Preview file
165 KB
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎08-13-2015 11:29 AM

Terence

Is the campus the one with with the 6500s ?

If so not sure what you mean by there is no distribution layer ie. your 6500s are your distribution layer whatever you call them.

In terms of will there be a performance impact then yes because firewalls have to inspect the packet headers in terms of IPs, port numbers and for some protocols they may have to further into the packet itself.

But that doesn't mean the performance impact will degrade the network, merely that it will add some latency to the packets between the campus and the DC.

If it was me I would be asking the security admin why he wants to do this. Not saying he is wrong but what is he trying to protect ie. I have used firewalls in DCs but not everything in the DC necessarily needs firewalling so I have never firewalled the entire DC from the rest of the corporate network.

Some things like database servers definitely require firewalling as these servers are usually very important to the company but that doesn't mean every server is the same. So I would expect the security admin to want to firewall at least some things in the DC from the corporate users but whether that means firewalling everything is up for debate.

Bear in mind also what applications are running in the DC ie. if you place the firewalls between the campus and DC you may end up having to open so many ports the firewalls in effect becomes almost like routers.

There may be a very good reason why he wants to do this but I have also come across security people who simply want to firewall everything believing it automatically makes everything more secure and this is not always the case.

Perhaps you could clarify exactly what his reasoning is behind this ?

Again, not saying it is wrong but a lot depends on exactly what you need to protect.

Jon

0 Helpful

Terence Lockette
Level 1
Level 1
In response to Jon Marshall

‎08-13-2015 11:35 AM

Jon,

 

Thank you for your insight.  My fear is that adding a firewall between both sides of the network will create an administrative nightmare because of the granularity of how traffic may get filtered if implemented.  I'll speak to my security guy and see what specifics he has in wanting a firewall between the two and we'll decide of it's it'll be beneficial for the network as well as the company.  Thanks again!

Regards,

Terence

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card