Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
1
Replies

Hosting Managed services Data Center Design with Overlapping Addresses

Go to solution
conceptzone
Level 1
Level 1

‎05-25-2011 06:29 PM - edited ‎03-07-2019 12:41 AM

Dear All,

I would like to get some feedback from you around a design that I am intending to implement to serve as hosting services for at least 50 customers.

our clients will be at least two types, the first one which is going to accept what ever IPs that we gonna host in our DC and the other type which is concerning me is going to specify the IP subnet that they need (Hence there is a potential for an overlapping subnets). I am sure you got what I want to say "the VRF lite" solution.

The components that we are going to use will be , one Catalyst 6500 chassis (12.2(33)SXI, one FWSM (4.1), many access switches and one ASA for the VPN connectivity connected directly to the 6500 as a direct appliance.

the design is going to be something like this:

Twin of BGPs terminated straight away on the 6500 ------- FWSM ------Access-----Servers or   BGP-----6500------ASA VPN------Access (Two path options)

here are my questions around this design :

1 - I will need to terminate the VPN tunnel for some of the customers. Where do you think the best place is going to be (MSFC or ASA VPN ?) is there any option for the VPN to be terminated on the FWSM?

2 - What is the best way to isolate customers totally from each other and still having an overlapping addresses ? ... I guess the answer will be VRFs, however, let's say that I will do the VPN termination on the ASA, so how am I going to do the separation between the customers on the ASA ? I believe the VRF is not supported on the ASA and they are not VRF aware either. I thought of configuring a TRUNK between the 6500 and the ASA and put each interface on its own VRF from the 6500 switch side, however, do you see it possible to have an overlapping address with such design? so let's say that the FWSM will not be involved if I am going to implement the second customer type (Which requires the VPN termination).

if possible, I need more ideas about the options that I am going to have

In nutshell, what I am looking for is an overlap design that can scale very well and it will be great if someone can guide me through the best practice, what other hosting data centers are doing, which book do they follow?

Thanks in advance,

IE

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dominic.caron
Level 5
Level 5

‎05-31-2011 02:07 PM

Hi,

You are on the right path with VRF on the 6500. The 7000 line only support a few VDC at present time.

On the firewall and VPN site, I would do it with firewall context and I would not use a FWSM. The ASA appliances are a better choice. . For the VPN, the ASA price-feature is on target.  Using a standalone  firewall will improve your flexibility and allow you to switch vendor it needs arise.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
dominic.caron
Level 5
Level 5

‎05-31-2011 02:07 PM

Hi,

You are on the right path with VRF on the 6500. The 7000 line only support a few VDC at present time.

On the firewall and VPN site, I would do it with firewall context and I would not use a FWSM. The ASA appliances are a better choice. . For the VPN, the ASA price-feature is on target.  Using a standalone  firewall will improve your flexibility and allow you to switch vendor it needs arise.

0 Helpful
Customers Also Viewed These Support Documents