Implementing Data Center Services (Interoperability, Design and Deployment)

Implementing Data Center
Services (Interoperability,
Design and Deployment)
BRKDCT-2703
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
© 2008, Cisco Systems, Inc. All rights reserved. 1

14583_04_2008_c1.scr
Agenda
Data Centers Components

Server Load Balancing (Content Switching)
SSL Offload
Security (Firewall)
Integrated Data Center Services Design Options
Real World Deployments
BRKDCT-2703
Data Center
Components
BRKDCT-2703

14583_04_2008_c1.scr
Acronyms
ACE Application Control Engine LMS Cisco Works LAN
BGP Border Gateway Protocol Management Solution
Cat4000 Cisco Catalyst® Cat4000 MAC Media Access Control
Cat6500 Cisco Catalyst 6500 MSFC Multilayer Switching
Feature Card
CE Cisco Content Engine
NAM Cisco Network Analysis
CSA Cisco Security Agent
Service Module on
(Host-based Intrusion
Cat6500
Prevention)
OSPF Open Shortest Path First
CSM Cisco Content Switching
Service Module on PBR Policy Based Routing
Cat6500 SLB Server Load Balancing
CSS Cisco Content Services SSL Secure Socket Layer
Switch (CSS11000 and SSLM Cisco SSL Offload Service
CSS11500 family) Module on Cat6500
FWSM Cisco Firewall Service VMS Cisco Works
Module on Cat6500 VPN/Security
HSRP Hot Standby Routing Management Solution
Protocol VPN- SM/SPA Cisco Virtual Private
GSS Global Site Selector Network Service Module
IDSM Cisco Intrusion Detection on Cat6500
Service Module on
Cat6500
BRKDCT-2703
Data Center Residents
Presentation Servers
Web front end servers that provides the interface
to the clients, e.g., Apache, IIS, etc.
Business Logic Servers

Also known as middleware custom applications
DB Servers
Oracle, Sybase, etc.
Data
NAS, SAN…
BRKDCT-2703

14583_04_2008_c1.scr
Data Center Elements
Application Solution
Linux/HP,
Solaris/SunFire,
WebLogic, J2EE Custom
App, Etc.
Database Solution
Linux/HP, Solaris/
SunFire, Oracle 10G
RAC, Etc.
Storage Solution
MDS9000
BRKDCT-2703
Network Infrastructure Solution Application Solution

Routers and Switches Linux/HP,
(Cisco GSRs, Catalyst
6500, Catalyst 4500, Solaris/SunFire,
Nexus5000/7000) WebLogic, J2EE Custom
App, Etc.
Layers 4–7 Services Solution Database Solution

ACE, CSM, SSLM, Linux/HP, Solaris/
CSS, CE, GSS SunFire, Oracle 10G
RAC, Etc.
Network Security Solution

PIX, FWSM, IDSM,
VPNSM, CSA
Management and Instrumentation Solution Storage Solution

Terminal Servers, NAM, MDS9000
Cisco Works LMS/VMS, HSE
BRKDCT-2703

14583_04_2008_c1.scr
Redundancy

HSRP, RPR, SSO, RPVST App, Etc.

99.999% Availability Stateful Redundancy RAC, Etc.
Desired on CSM and FWSM
PIX, FWSM, IDSM,
VPNSM, CSA

BRKDCT-2703

Scalability

Nexus5000/7000) WebLogic, J2EE custom
Core, Aggregation/Distribution/ app, etc.
Services, Access Model
Flexible and Simple Growth Ability to Scale to Multiple Services RAC, etc.
Capabilities Desired Modules (ACE, SSLM, etc.)
PIX, FWSM, IDSM,
VPNSM, CSA

BRKDCT-2703

14583_04_2008_c1.scr
Security

6500, Catalyst 4500,
Solaris/SunFire,
App, Etc.
Protection of Information/Data
Protection Against DoS Protection of Infrastructure Devices RAC, Etc.
Attacks and Worm Activity from Unauthorized Access
PIX, FWSM, IDSM,
VPNSM, CSA

BRKDCT-2703
Typical Data Center Topology
Internal Internet
Network Service Service
Provider A Provider B
Edge Routers
Core Switches
Aggregation Switches
Access Switches
WEB Tier
Application Tier
Database Tier
BRKDCT-2703

14583_04_2008_c1.scr
Distributed Data Centers
Data Center Services

Server Load Balancing and
Health Monitoring, Caches,
App A App B App A App B
SSL Offload, Firewall, and
Intrusion Detection
IP Network
FCIP Link
FC FC
Production Storage Network Backup

Data Center Data Center
BRKDCT-2703
Server Load Balancing
Please Visit
BRKAPP-2002: Server Load balancing Design
BRKDCT-2703

14583_04_2008_c1.scr
Server Load Balancing
Also known as content switching; one of the single most important
infrastructure service in the data center
Key purpose: Load distribution of “Requests”. The Requests could
be from Internet, Intranet, or extranet Clients.
Layers 3 to 7 content switching capabilities are available with
extensive keepalives (server health checks) functionality
Layer 4 or Layer 7 proxy can be used as a security perimeter
Application Redundancy Content Switching Design Decisions
Application protocol and ports (listener ports)
Load Distribution
End-to-end application flows
Direct server access
Application Health Checks
Server management
Communication of Server initiated sessions
Load to GSLB Device Infrastructure design
BRKDCT-2703
Content Switching Design Approaches

Bridged Mode: Design
Core-1 Core-2
Key Content Switching
Design Options
Bridged mode design
Agg-1 Agg-2 Routed mode design with MSFC on
Data client side
PortChannel
Routed mode design with MSFC on
MSFC1 MSFC2
server side
10 One-armed design
(1) Bridged Mode

ACE 1 FT ACE 2 Design Considerations
20 PortChannel
Standby
Servers default gateway is the HSRP
group IP address on the MSFC
Broadcast/multicast/route update
traffic bridges through
No extra configurations for:
Direct access to servers
Access
Server initiated sessions
ACE Client-Side VLAN 10 10.10.1.0/24
ACE Server-Side VLAN 20 10.10.1.0/24
RHI possible
Load balancer inline of all traffic
BRKDCT-2703 Easily Deployed in Existing Networks

14583_04_2008_c1.scr
Bridged Mode: Configuration
CSM ACE
module ContentSwitchingModule 4
interface vlan 10
!
bridge-group 10
vlan 10 client
access-group input anyone
ip address 10.10.1.5 255.255.255.0
access-group output anyone
gateway 10.10.1.1
no shutdown
alias 10.10.1.4 255.255.255.0
!
!
interface vlan 20
vlan 20 server
bridge-group 10
ip address 10.10.1.5 255.255.255.0
!
no shutdown
MSFC !
! interface bvi 10
interface Vlan10 ip address 10.10.1.5 255.255.255.0
ip address 10.10.1.2 255.255.255.0 alias 10.10.1.4 255.255.255.0
standby 10 ip 10.10.1.1 peer ip address 10.10.1.6 255.255.255.0
standby 10 priority 110 no shutdown
standby 10 preempt !
! ip route 0.0.0.0 0.0.0.0 10.10.1.1
!
BRKDCT-2703

Bridged Mode: BPDU Forwarding
ACE Configuration to Allow BPDUs
!
access-list bpduallow ethertype permit bpdu
!
interface vlan 10
bridge-group 10
access-group input bpduallow
no shutdown
!
interface vlan 20
bridge-group 10
access-group input bpduallow
no shutdown
!
BRKDCT-2703

14583_04_2008_c1.scr
Routed Mode: Design
Core-1 Core-2 Core-1 Core-2
Agg-1 Data Agg-2 Agg-1 Data Agg-2

PortChannel PortChannel
MSFC1 MSFC2
10 ACE 1 ACE 2
Standby
FT MSFC1 MSFC2
ACE 1 ACE 2 FT
20 PortChannel
Standby PortChannel
30
Access Access
ACE Client-Side VLAN 10 10.10.1.0/24 Access Access ACE Client-Side VLAN 5 10.5.1.0/24
ACE Server-Side VLAN 20 10.20.1.0/24 ACE Server-Side VLAN 1 10.10.1.0/24
ACE Server-Side VLAN 30 10.30.1.0/24 Server VLAN 20 10.20.1.0/24
Server VLAN 30 10.30.1.0/24
(2A) Routed Mode Design with MSFC (2B) Routed Mode Design with MSFC
on Client Side on Server Side
Servers default gateway is the alias IP Servers default gateway is the HSRP
on the CSM/ACE group IP address on the MSFC
Extra configurations needed for: Extra configurations needed for
Direct access to servers (simpler the option 2a):
Non-load balanced server initiated sessions Direct access to servers
CSM/ACE’s default gateway is the HSRP Non-load balanced server initiated sessions
group IP address on the MSFC ACE/CSM’s default gateway is the core
RHI possible router
Load balancer inline of all traffic RHI not possible
Server to server communication bypasses
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
the load balancer 19

Routed Mode: Design
Core-1 Core-2
Agg-1 Agg-2
MSFC1 MSFC2
Data
PortChannel
(2C) Routed Mode Design with VRF-Lite
ACE 1 ACE 2 Standby
group IP address on VLANs within the
VRF-Lite VRF-Lite VRF-Lite Instance (SVIs)
Server Instance Server Instance
Extra configurations needed for
FT
PortChannel
(simpler the option 2a):

Non-load balanced server initiated sessions
ACE/CSM’s default gateway is Global
MSFCs HSRP IP address
Access Access
RHI is Possible
Server to server communication bypasses
the load balancer
BRKDCT-2703

14583_04_2008_c1.scr
Routed Mode: Configuration
CSM ACE
module ContentSwitchingModule 4 !
! interface vlan 10
vlan 10 client ip address 10.10.1.5 255.255.255.0
ip address 10.10.1.5 255.255.255.0 alias 10.10.1.4 255.255.255.0
gateway 10.10.1.1 peer ip address 10.10.1.6 255.255.255.0
alias 10.10.1.4 255.255.255.0 no shutdown
! !
vlan 20 server interface vlan 20
ip address 10.20.1.2 255.255.255.0 ip address 10.20.1.2 255.255.255.0
alias 10.20.1.1 255.255.255.0 alias 10.20.1.1 255.255.255.0
! peer ip address 10.20.1.3 255.255.255.0
vlan 30 server no shutdown
ip address 10.30.1.2 255.255.255.0 MSFC !
alias 10.30.1.1 255.255.255.0 ! interface vlan 30
! interface Vlan10 ip address 10.30.1.2 255.255.255.0
ip address 10.10.1.2 255.255.255.0 alias 10.30.1.1 255.255.255.0
standby 10 ip 10.10.1.1 peer ip address 10.30.1.3 255.255.255.0
standby 10 priority 110 no shutdown
standby 10 preempt !
! ip route 0.0.0.0 0.0.0.0 10.10.1.1
BRKDCT-2703

One-Armed Mode: Design
Core-1 Core-2
Agg-1 Agg-2
Data
PortChannel
10
MSFC1 MSFC2
ACE 1 ACE 2 Standby

30
20 FT
PortChannel
(3) One-Armed Design Considerations

group IP address on the MSFC
No extra configurations for:
Access Access
Server initiated sessions
RHI possible
CSM/ACE inline for only server load
LB Server-Side VLAN 10 10.10.1.0/24 balanced traffic Only
Server VLAN 20 10.20.1.0/24
Policy based routing or source NAT
Server VLAN 30 10.30.1.0/24 can be used for server return traffic
redirection to the load balancer
BRKDCT-2703

14583_04_2008_c1.scr
One-Armed Mode: PBR Configuration
MSFC CSM - Asymmetric Routing
! !
interface Vlan10 module ContentSwitchingModule 4
ip address 10.10.1.2MSFC
255.255.255.0
variable ROUTE_UNKNOWN_FLOW_PKTS 2
standby 10 ip 10.10.1.1
! !
standby 10 priority 110
interface Vlan20
standby 10 preempt ip address 10.20.1.2 255.255.255.0
! ip policy route-map FromServersToSLB ACE - Asymmetric Routing
standby 20 ip 10.20.1.1 !
standby 20 priority 110 !
standby 20 preempt interface vlan 10
! ip address 10.10.1.5 255.255.255.0
access-list 121 permit tcp any eq telnet any alias 10.10.1.4 255.255.255.0
access-list 121 permit tcp any eq www any peer ip address 10.10.1.6 255.255.255.0
access-list 121 permit tcp any eq 443 any
no normalization
access-list 121 deny ip any any
!
route-map FromServersToSLB permit 10
no shutdown
match ip address 121 !
set ip next-hop 10.10.1.4
BRKDCT-2703

One-Armed Mode: Source-NAT Configuration
CSM ACE
!
!
policy-map multi-match SLB-TELNET-POLICY
class SLB-TELNET
!
loadbalance vip inservice
natpool SRC_NAT 10.10.1.110 10.10.1.110 netmask
255.255.255.0 loadbalance policy TELNET-POLICY-TYPE
! loadbalance vip icmp-reply
! nat dynamic 1 vlan 10
serverfarm SFARM_NAT !
nat server interface vlan 10
nat client SRC_NAT ip address 10.10.1.6 255.255.255.0
real 10.20.1.11 alias 10.10.1.4 255.255.255.0
inservice peer ip address 10.10.1.5 255.255.255.0
real 10.20.1.12 no normalization
inservice access-group input anyone
probe TCP access-group output anyone
! nat-pool 1 10.10.1.110 10.10.1.110 netmask
255.255.255.0 pat
no shutdown
!
BRKDCT-2703

14583_04_2008_c1.scr
Virtual Context in ACE

MSFC1 MSFC2 MSFC1 MSFC2
ACE1 ACE2 ACE1 ACE2
Transparent Transparent
Control Virtual Control Virtual
PortChannel Contexts PortChannel Contexts
VC_A VLAN 2 10.20.1.0/24

VC_A VLAN 20 10.20.1.0/24 ACE to MSFC VLAN 12 10.12.1.0/24
Access Access Access Access
VC_B VLAN 3 10.30.1.0/24 ACE to MSFC VLAN 13 10.13.1.0/24
VC_B VLAN 30 10.30.1.0/24
VC_2 VLAN 30 10.30.1.0/24
VC_1 VLAN 20 10.20.1.0/24
(4A) Bridged Context (4B) Routed Context

context VC_A context VC_A
allocate-interface vlan 2 allocate-interface vlan 12
member VC_A_RESRC allocate-interface vlan 22
! member VC_1_RESRC
context VC_B !
allocate-interface vlan 3 context VC_B
member VC_B_RESRC allocate-interface vlan 31
member VC_2_RESRC
BRKDCT-2703

Virtual Context in ACE: Configuration
resource-class VC_1
ft interface vlan 31
limit-resource all minimum 20.00 maximum equal-to-min
ip address 10.31.1.1 255.255.255.0
resource-class VC_2
peer ip address 10.31.1.2 255.255.255.0
limit-resource all minimum 0.00 maximum unlimited
no shutdown
limit-resource conc-connections minimum 40.00 maximum
ft peer 1
equal-to-min
heartbeat interval 300
limit-resource sticky minimum 40.00 maximum equal-to-min
heartbeat count 10
!
ft-interface vlan 31
context VC_A
ft group 11
description Context for initial client request
peer 1
allocate-interface vlan 5
allocate-interface vlan 10 priority 110
member VC_1 peer priority 105
context VC_B associate-context VC_A
description Context for second tier of internal VIPs inservice
allocate-interface vlan 15 ft group 22
allocate-interface vlan 20 peer 1
allocate-interface vlan 30 priority 105

member VC_2 peer priority 110
associate-context VC_B
inservice
BRKDCT-2703

14583_04_2008_c1.scr
Content Switching Designs Summary
(2A) Routed (2B) Routed
(1) (3)
Mode MSFC on Mode MSFC on
Bridge Mode One-Armed
Client Side Server Side
Default HSRP IPon
on Alias IP on HSRP IP on
SRP IP HSRP IP on
Gateway MSFC CSM MSFC MSFC
of Servers
Extra
No Extra
extra Extra
Direct Access Configuration
configuration CSM Is
is
Configuration
configuration Configuration
configuration
to Servers Needed, May
needed, may Bypassed
bypassed
Needed
needed Needed
needed
Bypass
bypass CSM
Extra
Servers No Extra
extra Extra Configuration
configuration CSM Is
is
Originated Configuration
configuration Configuration
configuration mayMay Be
be needed, Bypassed
bypassed
Connections Needed
needed May
may Be
be Needed
needed Needed, May
may bypass
Bypass
CSMCSM
Supported, Not Supported,
supported, Supported as
Multicast Supported,
Bridges Not Supported Server to CSM Is
supported server to server is
Support bridges through
Through Server Works Bypassed
works bypassed
Possible Ifif
Layer 2 Loops Not Possible
possible Not Possible
possible Not Possible
possible
Misconfigured
misconfigured
BRKDCT-2703
SSL Offload
Please Visit
BRKCDT-3703: SSL Offload for DC Backend Server Farm
BRKDCT-2703

14583_04_2008_c1.scr
Network-Based SSL Offload
Core-1 Core-2
Key Motivations
Offload SSLdecryption/ encryption
Agg-1 Agg-2 from servers
Redundancy
Data
PortChannel
Scalability
CSM 1
10
CSM 2 Unified management of SSL
MSFC1 MSFC2 certificates
40
Layer 7 based load balancing and
30
FT sticky possible for HTTPS
20 PortChannel
SSLM 1 SSLM 2
SSL Offload Design

Access Access
In ACE (Application Control
Engine) SSL Offload is built in on
the module
Simply add the SSLMs on a VLAN
connected to the ACE
CSM Server-Side VLAN 10 10.10.1.0/24 SSLMs default gateway would be
Server VLAN 20 10.20.1.0/24 the alias IP on the ACE
Server VLAN 30 10.30.1.0/24
Backend SSL requires no
SSLM VLAN 40 10.40.1.0/24
design change
BRKDCT-2703
SSL Services Module

Configuration Tips: Admin VLAN and Data VLAN
One VLAN on the SSL Module

Has to Be “Admin VLAN”
The “Admin VLAN” Can

Make Sure That the Admin VLAN Also Carry Data Traffic
Has a Route to the CA, TFTP Server,
Management Stations, Etc.
The Default Gateway of the Admin
VLAN Is the Module Default Gateway
Admin
SSL SSL
Data Admin and Data
BRKDCT-2703

14583_04_2008_c1.scr
Data Center Security
BRKDCT-2703
Firewall Design Approaches

Layer 2
Core-1 Core-2 Key Firewall Design Options

Bridged mode design, also known as
transparent or stealth firewall
Routed mode design, also known as
Agg-1 Data
Agg-2 Layer 3 firewall
PortChannel Virtual firewall contexts for
MSFC1 MSFC2 Layer 2 or Layer 3 mode
(1) Layer 2 (Transparent)

Firewall Design
Control
FWSM1 PortChannel
FWSM2 Considerations
Servers default gateway is
the HSRP group IP address
on the MSFC
Broadcast/multicast/route
update traffic bridges through
Access Bump on the wire; easy
integration
DMZ-1 VLAN 20 10.20.1.0/24 Currently two VLANs can
be merged
BRKDCT-2703

14583_04_2008_c1.scr
Layer 3
Core-1 Core-2
Agg-1 Data
Agg-2
PortChannel
MSFC1 MSFC2
FWSM1 FWSM2
Control
PortChannel (2) Layer 3 Firewall
Design Considerations
Servers default gateway is
the IP address on the firewall
Dynamic routing is supported
Access Access
FWSM to MSFC VLAN 10 10.10.1.0/24
DMZ-1 VLAN 20 10.20.1.0/24
DMZ-1 VLAN 30 10.30.1.0/24
BRKDCT-2703

Virtual Context
It’s the ability to segment ON MSFC

firewall multiple-vlan-interfaces
a single physical firewall firewall module 7 vlan-group 100
into multiple virtualized firewall vlan-group 100 21-25,50-53
instances ON FIREWALL
Multiple interfaces/ CAT1-FWSM-SYS# conf t
CAT1-FWSM-SYS(config)# firewall ?
VLANs within Layer 3 Usage: [no | clear | show ] firewall [transparent]
virtual contexts are FWSM(config)#
supported FWSM(config)# mode ?
Usage: mode single | multiple

Multiple bridge FWSM(config)#
pairs for Layer 2 FWSM#
virtual contexts
are supported
BRKDCT-2703

14583_04_2008_c1.scr
Virtual Context

MSFC1 MSFC2 MSFC1 MSFC2
FWSM2 FWSM2 FWSM2 FWSM2
Transparent Transparent
Control Virtual Control Virtual
PortChannel Contexts PortChannel Contexts
Access Access Access Access FWSM to MSFC VLAN 12 10.12.1.0/24

FWSM to MSFC VLAN 13 10.13.1.0/24
FWA VLAN 20 10.20.1.0/24 DMZ-1 VLAN 20 10.20.1.0/24
FWB VLAN 30 10.30.1.0/24 DMZ-2 VLAN 30 10.30.1.0/24
(3A) Transparent Context (3B) Routed Context

context FWA context FW1
allocate-interface vlan2 allocate-interface vlan12
config-url disk:/FWA.cfg config-url disk:/FW1.cfg
! !
context FWB context FW2
config-url disk:/FWB.cfg config-url disk:/FW2.cfg
BRKDCT-2703
Firewall Designs Summary

(1) (2) (3A) (3B)
Bridge Mode Routed Mode Virtual Context Virtual Context
Layer 2 Layer 3 Layer 2 Layer 3
Default
HSRP IP
HSRP IP on
on Alias IP IP
Primary on HSRP IP
HSRP IP on
on HSRP IPIP
Primary on
Gateway
MSFC
MSFC CSM
on FW MSFC
MSFC MSFC
on FW
of Servers
Multicast Supported Supported Supported Supported

Supported Supported Supported Supported
Support
PossibleIfif
Possible Possible Ifif
Possible
Layer 2 Loops Not Possible
Not possible Not Possible
Not possible
misconfigured
Misconfigured misconfigured
Misconfigured
Multiple VLANs Multiple VLANs

Multiple VLANS Multiple VLANS
Multiple VLANs Multiple VLANs per VC, Cannot per VC, Can
VLAN Usage per VC, cannot per VC, cannot
allowed
Allowed allowed
Allowed Share VLANs Share VLANs
share VLANs share VLANs
Across VCs Across VCs
BRKDCT-2703

14583_04_2008_c1.scr
Firewall Services Module
Configuration Tips for Getting Started
FWSM Define the VLANs the FWSM Will

Protect in Switch Configuration Mode
C6509# config t
C6509(config)#vlan 200
Create a Firewall Group for the FWSM to Manage

C6509(config)#firewall vlan-group 100 200-202
VLAN Group Identifier VLANs Defined in

Previous Step
Attach Firewall Group to FWSM
C6509(config)#firewall module 6 vlan-group 100
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Slot Where FWSM Installed in Chassis
37
Firewall Services Module (Cont.)

Configuration Tips for Getting Started
FWSM
Some Initial Configuration FWSM
Configuration Statements
Define VLAN Interfaces and
FWSM# wr t Associate Security Levels
Building configuration...
: Saved Use This Statement for Each Interface
: That You Want to Respond to Pings—
FWSM Version 3.1(1)
<snip>
Without It No Pings Will Be Answered
!
interface Vlan200
nameif inside If You Want to Use PDM to Configure
security-level 100
ip address 10.130.1.12 255.255.255.0 the FWSM, Then You Need to Enable
! HTTP and Specify the IP Address of
<snip> Each User Requiring Access
icmp permit any inside
<snip>
http server enable
http 192.168.1.0 255.255.255.0 inside If You Want to Use Telnet to the FWSM
<snip> Through a FWSM Interface, Then You
telnet 192.168.1.0 255.255.255.0 inside Need to Define a Telnet Statement for
Each User Requiring Access
BRKDCT-2703

14583_04_2008_c1.scr
Integrated Data Center
Design Options
BRKDCT-2703
Data Center Services Design Options

We understand what products and devices are available in
the data center to provide the services of security, server
load balancing, SSL offload etc.
We understand design options of individual products
Let’s look at different ways of integrating these products
Each design consists of three redundant layers—core, aggregation,
and access
(1) FW on Core With ACE/CSM on Aggregation in Layer 3
(2) FW and ACE on Aggregation with ACE/CSM in Layer 2 and FW in Layer 3
(3) FW and ACE on Aggregation with ACE/CSM in One-Armed and FW in Layer 3
(4) FW and ACE on Aggregation with ACE/CSM in One-Armed and FW in Layer 2

Secure Internal Segment
BRKDCT-2703

14583_04_2008_c1.scr
Physical Topology
BRKDCT-2703
Design (1): Firewall on Core;

ACE/CSM on Aggregation in Layer 3 Mode
Security Details
WAN Layer 3 firewall used
Cat6509-Core-1 Cat6509-Core-2 Firewall perimeter at the core
Aggregation and access are considered
VLAN 2 VLAN 2 trusted zones
Security perimeter not possible between
Web/App/DB tiers
VLAN 3 Cat6513-Agg-1 Data
PortChannel
Cat6513-Agg-2 VLAN 3 In the aggregation layer, some security using
VLAN tags on the CSM is possible
SSL Termination on ACE

VLAN 16 Content Switching Details
VLAN 200 ACE/CSM is used in routed design
ACE-1 ACE-2
Control
Servers default gateway is the
VLAN 17 PortChannel VLAN 17 ACE/CSM alias IP address
VLAN 18 VLAN 18
Extra configurations needed for:
VLAN 19 VLAN 19 Direct access to servers
Web VLAN
App VLAN ACE/CSM’s default gateway is the HSRP
DB VLAN group IP on the MSFC
Since MSFC is directly connected to the
Cat6509-Access-1 Cat6509-Access-2 ACE/CSM, RHI is possible
All to/from traffic, load balanced/
non-load balanced servers go
App Server Web Server DB Server through the CSM
BRKDCT-2703

14583_04_2008_c1.scr
ACE/CSM on Aggregation in Layer 3 Mode
Configuration Snapshots
MSFC SVI
module ContentSwitchingModule 3 interface Vlan16

vlan 16 client ip address 10.16.1.2 255.255.255.0
ip address 10.16.1.12 255.255.255.0 standby 16 ip 10.16.1.1
gateway 10.16.1.1 standby 16 priority 150
alias 10.16.1.11 255.255.255.0
!
vlan 17 server
ip address 10.17.1.2 255.255.255.0
alias 10.17.1.1 255.255.255.0
serverfarm ROUTE
!
no nat server
vlan 18 server
no nat client
ip address 10.18.1.2 255.255.255.0
predictor forward
alias 10.18.1.1 255.255.255.0
!
!
vserver ROUTE
vlan 19 server
virtual 0.0.0.0 0.0.0.0 any
ip address 10.19.1.2 255.255.255.0
serverfarm ROUTE
alias 10.19.1.1 255.255.255.0
inservice
BRKDCT-2703

ACE/CSM on Aggregation in Layer 3 Mode:
Session Flows
WAN WAN
Cat6509-Core-1 Cat6509-Core-2 Cat6509-Core-1 Cat6509-Core-2
VLAN 2 VLAN 2 VLAN 2 VLAN 2

Firewall Makes Firewall Makes
Security Security
VLAN 3 Cat6513-Agg-1 Decisions
Data Cat6513-Agg-2 VLAN 3 VLAN 3 Cat6513-Agg-1 Decisions
Data Cat6513-Agg-2 VLAN 3
ACE Makes
VLAN 200 ACE Routes
VLAN 200
ACE-1 ACE-2 ACE-1 ACE-2
SLBControl
Decision Control
Web VLAN Web VLAN

App VLAN App VLAN
DB VLAN DB VLAN
Cat6509-Access-1 Cat6509-Access-2 Cat6509-Access-1 Cat6509-Access-2
App Server Web Server DB Server App Server Web Server DB Server
Load Balanced Session Flow Server Management Session Flow
BRKDCT-2703

14583_04_2008_c1.scr
Design (2): Firewall and ACE/CSM
on Aggregation;
FW in Layer 3 and ACE/CSM in Layer 2 Mode
WAN
Security Details
Cat6509-Core-1 Cat6509-Core-2
Layer 3 firewall used with single contexts
Firewall perimeter at the core
VLAN 2 VLAN 2
Firewall perimeter is used in the aggregation
between Web/App/DB tiers
VLAN 3 Cat6513-Agg-1 Data Cat6513-Agg-2 VLAN 3
PortChannel
Content Switching Details
VLAN 16 SSL Termination on ACE ACE/CSM is used in bridged design with
FWSM1 FWSM2 multiple bridged VLAN pairs
VLAN 7 VLAN 8 VLAN 8 VLAN 7 Servers default gateway is the firewall
VLAN 9 VLAN 9 primary IP address
Multiple Control
ACE-1 PortChannels ACE-2 No extra configurations needed for:
VLAN 19 VLAN 19
ACE/CSM’s default gateway is the firewall
Web VLAN
App VLAN
primary IP address
DB VLAN Since MSFC is not directly connected to the
ACE/CSM, RHI is not possible
Cat6509-Access-1 Cat6509-Access-2 All to/from traffic, load balanced/
non-load balanced servers go
through the ACE/CSM
App Server Web Server DB Server
BRKDCT-2703

on Aggregation;
Configuration Snapshots
MSFC SVI
interface Vlan16
!
ip address 10.16.1.2 255.255.255.0
vlan 7 client
standby 16 ip 10.16.1.1
ip address 10.17.1.11 255.255.255.0
gateway 10.17.1.1
!
vlan 17 server
ip address 10.17.1.11 255.255.255.0
!
vlan 8 client
VLANS ON THE FIREWALL
ip address 10.18.1.11 255.255.255.0
gateway 10.18.1.1
VLAN16 (towards the MSFC)
!
vlan 18 server
Inside Server VLANs
ip address 10.18.1.11 255.255.255.0
VLAN7
!
VLAN8
VLAN9
BRKDCT-2703

14583_04_2008_c1.scr
on Aggregation;
Session Flows
WAN WAN

Core Firewall
Makes
Cat6513-Agg-1 Security
Data Cat6513-Agg-2 Cat6513-Agg-1 Data Cat6513-Agg-2
Decisions SSLM1
VLAN 11 VLAN 11
FWSM1 Internal DMZs FWSM2 FWSM1 Internal DMZs FWSM2
Perimeters Perimeters
VLAN 7 VLAN 8 VLAN 8 VLAN 7 VLAN 7 VLAN 8 VLAN 8 VLAN 7
Multiple Control Multiple Control
ACE-1 ACE Makes
PortChannels ACE-2 ACE-1 ACE Bridges
PortChannels ACE-2
SLB Decision Traffic
VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 17 VLAN 18 VLAN 18 VLAN 17
Web VLAN Web VLAN

App VLAN App VLAN
DB VLAN DB VLAN
Load Balanced Session Flow Web Server to App Server Session Flow
BRKDCT-2703

on Aggregation;
FW in Layer 3 and ACE/CSM in One-Armed Mode
WAN
Security Details
Layer 3 firewall used with single contexts
Firewall perimeter at the core
VLAN 2 VLAN 2
Firewall perimeter is used in the aggregation
between Web/App/DB tiers
VLAN 3 Data VLAN 3
Cat6513-Agg-1 Cat6513-Agg-2
PortChannel
VLAN 15
SSL Termination on ACE ACE/CSM is used in a one-armed fashion
VLAN 16
Servers default gateway is the firewall
primary IP address
ACE-1 Multiple Control ACE-2 No extra configurations needed for:
FWSM1 PortChannels FWSM2 Direct access to servers
VLAN 17 VLAN 18 VLAN 18 VLAN 17 ACE/CSM’s default gateway is the HSRP
VLAN 19 VLAN 19 group address on the MSFC
Web VLAN
App VLAN Since MSFC is directly connected to the
DB VLAN ACE/CSM, RHI is possible
All non-load balanced traffic to/from servers
Cat6509-Access-1 Cat6509-Access-2 will bypass the ACE/CSM

BRKDCT-2703

14583_04_2008_c1.scr
Design (3): Firewall and CSM
on Aggregation;
FW in Layer 3 and CSM in One-Armed Mode
module ContentSwitchingModule 3 MSFC SVI
vlan 15 server interface Vlan15
ip address 10.15.1.12 255.255.255.0 ip address 10.15.1.2 255.255.255.0
gateway 10.15.1.1 standby 15 ip 10.15.1.1
alias 10.15.1.11 255.255.255.0 standby 15 priority 150
!
interface Vlan16
ip address 10.16.1.2 255.255.255.0
standby 16 ip 10.16.1.1
VLANS ON THE FIREWALL

VLAN16 (towards the MSFC)
DMZ VLANs
VLAN17
VLAN18
VLAN19
BRKDCT-2703
Design (3): Firewall and CSM

on Aggregation;
FW in Layer 3 and CSM in One-Armed Mode:
Session Flows (1 of 2)
WAN WAN
PBR/ Core Firewall

SRC- Makes
NAT Cat6513-Agg-1 Security
Data Cat6513-Agg-2 Cat6513-Agg-1 Data Cat6513-Agg-2
Decisions
ACE-1 ACE-2
ACE-1 ACE-2
ACE Is
ACE Makes
Bypassed
SLB Decision
Multiple Control Multiple Control
PortChannels PortChannels
FWSM1 FWSM2 FWSM1 FWSM2
Internal DMZs Internal DMZs
VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17 VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17
Web VLAN Web VLAN
App VLAN App VLAN
DB VLAN DB VLAN
BRKDCT-2703
Load Balanced Session Flow Web Server to App Server Session Flow

14583_04_2008_c1.scr
on Aggregation;
Session Flows (2 of 2)
WAN
VLAN 2 VLAN 2
Firewall Makes
Security
VLAN 3 VLAN 3
Cat6513-Agg-1 Decisions
Data Cat6513-Agg-2
PortChannel
ACE-1 ACE-2
ACE Is
Bypassed
Multiple Control
PortChannels
FWSM1 FWSM2
Internal DMZs
VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17
VLAN 19 VLAN 19
Web VLAN
App VLAN
DB VLAN
Cat6509-Access-1 Cat6509-Access-2
Server Management Session Flow

BRKDCT-2703

on Aggregation;
[Secure Internal Segment] Security Details
WAN Layer 2 firewall used with
multiple contexts
Firewall perimeter at outside,
internal and each DMZ
VLAN 12 VLAN 12
Cat6513-Agg-1 Secure Internal Cat6513-Agg-2 Agg MSFC is a secure internal
Segment segment with protection from each
connected network
Data PortChannel Secure internal segment is protected from
VLAN 2
VLAN 11
VLAN 2 malicious activity from each DC network
SSL Termination on ACE
VLAN 7 VLAN 7 Content Switching Details
VLAN 8 VLAN 8
VLAN 9 VLAN 9
ACE/CSM is used in a one-armed fashion
Multiple Control Servers default gateway is the HSRP
PortChannels group IP address
FWSM1 FWSM2 No extra configurations needed for:
VLAN 17 VLAN 18 VLAN 18 VLAN 17 Direct access to servers
VLAN 19 VLAN 19 Non-load balanced server initiated sessions
Web VLAN
App VLAN ACE/CSM’s default gateway is the HSRP
DB VLAN group address on the MSFC
Cat6509-Access-1 Cat6509-Access-2
Since MSFC is directly connected to the
ACE/CSM, RHI is possible
All non-load balanced traffic to/from servers
App Server Web Server DB Server will bypass the ACE/CSM
BRKDCT-2703

14583_04_2008_c1.scr
on Aggregation;
[Secure Internal Segment]
module ContentSwitchingModule 3 MSFC SVI
vlan 15 server
ip address 10.15.1.12 255.255.255.0 interface Vlan15
gateway 10.15.1.1 Description VLAN Towards ACE
alias 10.15.1.11 255.255.255.0 ip address 10.15.1.2 255.255.255.0
! standby 15 ip 10.15.1.1
vlan 11 server standby 15 priority 150
ip address 10.11.1.2 255.255.255.0 !
alias 10.11.1.1 255.255.255.0 interface Vlan7
ip address 10.17.1.2 255.255.255.0
standby 17 ip 10.17.1.1
FIREWALL CONTEXTS
!
interface Vlan8
context DB
ip address 10.18.1.2 255.255.255.0
allocate-interface vlan7
standby 18 ip 10.18.1.1
config-url disk:/DB.cfg
!
! context WEB
interface Vlan9
context APP allocate-interface vlan9
ip address 10.19.1.2 255.255.255.0
standby 19 ip 10.19.1.1
allocate-interface vlan18 config-url disk:/WEB.cfg
config-url disk:/APP.cfg
BRKDCT-2703
Real-World
Deployments
BRKDCT-2703

14583_04_2008_c1.scr
Real-World Deployments
Firewall All DMZs and Networks
Goal
Ensure high security within the data center
All tiers (Web/App/DB) are untrusted
Sessions between servers should be locked down to particular
ports
Ensure non load balanced traffic bypass the content switch
Solution
Transparent virtual contexts used on the FWSM to seamlessly
integrate a firewall perimeter on each of data center VLANs
Content switch deployed in a one-armed fashion
BRKDCT-2703
Secure Internal
Segment
CSS11506_1 CSS11506_2
VLAN 41 10.32.222.0/30
Design Approach
Data Layer 2 firewall used with multiple contexts
PortChannel
Firewall perimeter at outside, internal and each
MSFC MSFC DMZ
Agg MSFC is a secure internal segment with
VLAN 200
protection from each connected network
LAN FailOver
VLAN 6 VLAN 5 PortChannel Secure internal segment is protected from
VLAN 14 VLAN 3 malicious activity from each DC network/VLAN
VLAN 201
Access switches setup in Layer 2 approach
StateLink
PortChannel
CSS11506 is used in a one-armed fashion
FWSM1 FWSM2
Since it is not supported on transparent FW,
VLAN 103 10.73.222.0/27 NAT is performed on the MSFC
Web Server 1
Web Server 2
VLAN 105 10.73.222.32/28
App Server 1
App Server 2 Servers default gateway is the HSRP group IP
VLAN 114 10.73.220.0/23 address on agg switches
CSS’s default gateway is the HSRP group
Internal Router Inside address on the MSFC on VLAN 40
Core
VLAN 106 10.10.137.0/24 Since MSFC is directly connected to the ACE,
RHI is possible
Edge Router 1 Edge Router 2 All non-load balanced traffic to/from servers will
bypass the CSS11506
Internet
BRKDCT-2703

14583_04_2008_c1.scr
context WEB MSFC SVI

allocate-interface vlan103 interface Vlan3
config-url disk:/WEB.cfg description DMZWeb
! ip address 10.73.222.2 255.255.255.224
context APP standby 3 ip 10.73.222.1
allocate-interface vlan5 standby 3 priority 150
allocate-interface vlan105 ip nat inside
config-url disk:/APP.cfg !
interface Vlan6
PBR for Production Web Apps description Outside
ip address 10.10.137.2 255.255.255.0
access-list 121 permit tcp any eq www any standby 6 ip 10.10.137.1
access-list 121 permit tcp any eq 443 any standby 6 priority 150
access-list 121 deny ip any any ip nat outside
! !
route-map FromDMZWebSendToCSS permit 10 interface Vlan40
match ip address 121 description CSSVLAN
set ip next-hop 10.73.222.196 ip address 10.73.222.194 255.255.255.192
! standby 40 ip 10.73.222.193
interface Vlan3 standby 40 priority 150
description DMZWeb ip nat inside
ip policy route-map FromDMZWebSendToCSS
BRKDCT-2703
Real-World Deployments (Nexus)

Trust with Caution
Goal
Firewall perimeter needed to protect against the outside world
which includes internet clients and partners
Secure VPN is needed for access into the data center
All tiers are trusted as extensive application hardening is deployed
Session monitoring is essential
Solution
Routed virtual contexts used on the FWSM to create multiple
perimeters on the core switches; this ensures protection from
internet clients and from partners
Content switching module is deployed in a one-armed fashion
Layer 3 routing is used between the tiers
Network and host based IPS are deployed to monitor sessions
BRKDCT-2703

14583_04_2008_c1.scr
Q and A
BRKDCT-2703
Recommended Reading
Solutions Reference
NetworkDesign (SRND)
www.cisco.com/go/srnd
Continue your Networkers at

Cisco Live learning experience
with further reading from Cisco
Press
Check the Recommended
Reading flyer for suggested
books
Designing Content Switching
Solutions: ISBN: 158705213X
By Zeeshan Naseh, Haroon Khan
Available Onsite at the Cisco Company Store

BRKDCT-2703

14583_04_2008_c1.scr
Complete Your Online
Session Evaluation
Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.
BRKDCT-2703
BRKDCT-2703

14583_04_2008_c1.scr

Implementing Data Center Services (Interoperability, Design and Deployment)

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Implementing Data Center Services (Interoperability, Design and Deployment)

Enviado por

Direitos autorais:

Formatos disponíveis

Implementing Data Center

© 2008, Cisco Systems, Inc. All rights reserved. 1

 Data Centers Components

© 2008, Cisco Systems, Inc. All rights reserved. 2

Data Center Residents

Business Logic Servers

© 2008, Cisco Systems, Inc. All rights reserved. 3

Data Center Elements

Network Infrastructure Solution Application Solution

Layers 4–7 Services Solution Database Solution

Network Security Solution

Management and Instrumentation Solution Storage Solution

© 2008, Cisco Systems, Inc. All rights reserved. 4

Network Infrastructure Solution Application Solution

Layers 4–7 Services Solution Database Solution

Management and Instrumentation Solution Storage Solution

Data Center Elements

Network Infrastructure Solution Application Solution

Management and Instrumentation Solution Storage Solution

© 2008, Cisco Systems, Inc. All rights reserved. 5

Network Infrastructure Solution Application Solution

Management and Instrumentation Solution Storage Solution

Typical Data Center Topology

© 2008, Cisco Systems, Inc. All rights reserved. 6

Data Center Services

Production Storage Network Backup

Server Load Balancing

© 2008, Cisco Systems, Inc. All rights reserved. 7

Content Switching Design Approaches

(1) Bridged Mode

© 2008, Cisco Systems, Inc. All rights reserved. 8

Content Switching Design Approaches

© 2008, Cisco Systems, Inc. All rights reserved. 9

Agg-1 Data Agg-2 Agg-1 Data Agg-2

Content Switching Design Approaches

(simpler the option 2a):

© 2008, Cisco Systems, Inc. All rights reserved. 10

Content Switching Design Approaches

ACE 1 ACE 2 Standby

(3) One-Armed Design Considerations

© 2008, Cisco Systems, Inc. All rights reserved. 11

Content Switching Design Approaches

© 2008, Cisco Systems, Inc. All rights reserved. 12

Agg-1 Data Agg-2 Agg-1 Data Agg-2

ACE1 ACE2 ACE1 ACE2

VC_A VLAN 2 10.20.1.0/24

(4A) Bridged Context (4B) Routed Context

Content Switching Design Approaches

member VC_1 peer priority 105

context VC_B associate-context VC_A

description Context for second tier of internal VIPs inservice

allocate-interface vlan 15 ft group 22

allocate-interface vlan 20 peer 1

allocate-interface vlan 30 priority 105

© 2008, Cisco Systems, Inc. All rights reserved. 13

© 2008, Cisco Systems, Inc. All rights reserved. 14

SSL Offload Design

SSL Services Module

One VLAN on the SSL Module

The “Admin VLAN” Can

Data Admin and Data

© 2008, Cisco Systems, Inc. All rights reserved. 15

Firewall Design Approaches

Data Centers Components

It’s the ability to segment ON MSFC

Continue your Networkers at