Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3256
Views
0
Helpful
6
Replies

make Gateway Firewall or Distribution/Core layer

Vahid Tavajjohi
Level 1
Level 1

‎09-19-2014 06:21 AM - edited ‎03-07-2019 08:48 PM

hi everyone

 

i'm involve in a team to design a new Data Center, our problem is  one of my colleague and me thinks that the servers gateways must be the Distribution layer, but our Consultants that hold ccie R&S, think gateways must be the Firewall of Data Center Block, 

so which one of opinions is right?

 

thanks

Labels:
0 Helpful
6 Replies 6

Reza Sharifi
Hall of Fame
Hall of Fame

‎09-19-2014 06:30 AM

Hi,

It could be either one, but usually if you have a lots of traffic in your data center and you want faster switching, it should on the distro layer.  Usually switches have much more backplane speed and much more throughput then firewalls. The other thing is if the gateway is on the distro switches and you lose your firewall, you local vlans can still communicate.

 

HTH

0 Helpful

Vahid Tavajjohi
Level 1
Level 1
In response to Reza Sharifi

‎09-19-2014 06:44 AM

thanks Reza for reply

i knew that , but our Consultant opinion is no inter vlan routing should be exist in Data Center because of Security issues, gateways must be Firewalls to implement Zoning,

but i Searched in Cisco Documents and in Somewhere it said that switches are gateways and Firewalls must be bridge , somewhere said secure vlans gateway must be firewall,

but in my opinion its good to use both, application gateways must be firewalls but l3 or l2 services like iSCSI or vMotion and etc. should be l3 switches.

but which one is best implement,

0 Helpful

Tagir Temirgaliyev
Spotlight

‎09-20-2014 01:18 AM

I am not ccie and not consultant. but I can explain so easy question.

 

it depends.

if data from servers must go mostly to another servers in another vlans so gateway should be core switch.

and for example you shutdown firewall but data still goes from server to server.

 

and in another case if all data traffic goes from internet to servers and back so of course you must configure gateway firewall

0 Helpful

Vahid Tavajjohi
Level 1
Level 1
In response to Tagir Temirgaliyev

‎09-20-2014 12:01 PM

in Banking Data center, server to server traffic should check because of  vulnerabilities, so firewall being gateway can be reasonable, 

because of this , i think its better to combine two method, switching and firewalling,

 

thanks

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Vahid Tavajjohi

‎09-20-2014 12:14 PM

Are these internal servers that need to communicate with each other? if yes there is no need to firewall subnet if no than fire-walling them is a good idea.  Usually if you have PCI, DMZ or multiple customers being on the same device requirement you firewall subnets.   If you go with firewall make sure it can handle the traffic load, if not it probably become a bottleneck.

HTH

0 Helpful

Tagir Temirgaliyev
Spotlight
In response to Vahid Tavajjohi

‎09-20-2014 10:05 PM

yes. if it is banking data center so  all sensitive traffic go throw firewall.

I do work in bank and I khow PCI DSS requirements.

server to server traffic should go from vlan to vlan throw firewall with a complicated acl and IPS too

0 Helpful
Top