Implementing Data Center Services (Interoperability, Design and Deployment

)

BRKDCT-2703

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

1

Agenda
Data Centers Components Server Load Balancing (Content Switching) SSL Offload Security (Firewall) Integrated Data Center Services Design Options Real World Deployments

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

Data Center Components

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

4

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

2

Acronyms
ACE BGP Cat4000 Cat6500 CE CSA Application Control Engine Border Gateway Protocol Cisco Catalyst® Cat4000 Cisco Catalyst 6500 Cisco Content Engine Cisco Security Agent (Host-based Intrusion Prevention) Cisco Content Switching Service Module on Cat6500 Cisco Content Services Switch (CSS11000 and CSS11500 family) Cisco Firewall Service Module on Cat6500 Hot Standby Routing Protocol Global Site Selector Cisco Intrusion Detection Service Module on Cat6500
Cisco Public

LMS MAC MSFC NAM

CSM

CSS

OSPF PBR SLB SSL SSLM VMS

FWSM HSRP GSS IDSM
BRKDCT-2703 14583_04_2008_c1

VPN- SM/SPA

Cisco Works LAN Management Solution Media Access Control Multilayer Switching Feature Card Cisco Network Analysis Service Module on Cat6500 Open Shortest Path First Policy Based Routing Server Load Balancing Secure Socket Layer Cisco SSL Offload Service Module on Cat6500 Cisco Works VPN/Security Management Solution Cisco Virtual Private Network Service Module on Cat6500

© 2008 Cisco Systems, Inc. All rights reserved.

5

Data Center Residents
Presentation Servers
Web front end servers that provides the interface to the clients, e.g., Apache, IIS, etc.

Business Logic Servers
Also known as middleware custom applications

DB Servers
Oracle, Sybase, etc.

Data NAS, SAN…
BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

6

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

3

Data Center Elements
Application Solution
Linux/HP, Solaris/SunFire, WebLogic, J2EE Custom App, Etc.

Database Solution
Linux/HP, Solaris/ SunFire, Oracle 10G RAC, Etc.

Storage Solution
MDS9000

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

7

Data Center Elements
Network Infrastructure Solution
Routers and Switches (Cisco GSRs, Catalyst 6500, Catalyst 4500, Nexus5000/7000)

Application Solution
Linux/HP, Solaris/SunFire, WebLogic, J2EE Custom App, Etc.

Layers 4–7 Services Solution
ACE, CSM, SSLM, CSS, CE, GSS

Database Solution
Linux/HP, Solaris/ SunFire, Oracle 10G RAC, Etc.

Network Security Solution
PIX, FWSM, IDSM, VPNSM, CSA

Management and Instrumentation Solution
Terminal Servers, NAM, Cisco Works LMS/VMS, HSE

Storage Solution
MDS9000

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

8

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

4

Data Center Elements
Redundancy

Network Infrastructure Solution
Routers and Switches (Cisco GSRs, Catalyst 6500, Catalyst 4500, Nexus5000/7000)

Application Solution
Linux/HP, Solaris/SunFire, WebLogic, J2EE Custom App, Etc.

HSRP, RPR, SSO, RPVST

Layers 4–7 Services Solution
99.999% Availability Desired ACE, CSM, SSLM, CSS, CE, GSS Stateful Redundancy on CSM and FWSM PIX, FWSM, IDSM, VPNSM, CSA

Database Solution
Linux/HP, Solaris/ SunFire, Oracle 10G RAC, Etc.

Network Security Solution

Management and Instrumentation Solution
Terminal Servers, NAM, Cisco Works LMS/VMS, HSE

Storage Solution
MDS9000

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

9

Data Center Elements
Scalability

Network Infrastructure Solution
Routers and Switches (Cisco GSRs, Catalyst 6500, Catalyst 4500, Nexus5000/7000)

Application Solution
Linux/HP, Solaris/SunFire, WebLogic, J2EE custom app, etc.

Core, Aggregation/Distribution/ Services, Access Model

Layers 4–7 Services Solution
Flexible and Simple Growth Capabilities Desired

Database Solution
Linux/HP, Solaris/ SunFire, Oracle 10G RAC, etc.

ACE, CSM, SSLM, CSS, CE, GSS Ability to Scale to Multiple Services Modules (ACE, SSLM, etc.) PIX, FWSM, IDSM, VPNSM, CSA

Network Security Solution

Management and Instrumentation Solution
Terminal Servers, NAM, Cisco Works LMS/VMS, HSE

Storage Solution
MDS9000

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

5

Data Center Elements
Security

Network Infrastructure Solution
Routers and Switches (Cisco GSRs, Catalyst 6500, Catalyst 4500, Nexus5000/7000)

Application Solution
Linux/HP, Solaris/SunFire, WebLogic, J2EE Custom App, Etc. Protection of Information/Data

Layers 4–7 Services Solution
Protection Against DoS Attacks and Worm Activity

Database Solution
Linux/HP, Solaris/ SunFire, Oracle 10G RAC, Etc.

ACE, CSM, SSLM, CSS, CE, GSS Protection of Infrastructure Devices from Unauthorized Access PIX, FWSM, IDSM, VPNSM, CSA

Network Security Solution

Management and Instrumentation Solution
Terminal Servers, NAM, Cisco Works LMS/VMS, HSE

Storage Solution
MDS9000

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

Typical Data Center Topology
Internal Network Service Provider A

Internet

Service Provider B

Edge Routers Core Switches Aggregation Switches Access Switches WEB Tier

Application Tier Database Tier

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

6

Distributed Data Centers

Data Center Services
App A App B

Server Load Balancing and Health Monitoring, Caches, SSL Offload, Firewall, and Intrusion Detection

App A

App B

IP Network
FCIP Link
FC FC

Production Data Center
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved.

Storage Network

Backup Data Center
13

Cisco Public

Server Load Balancing

Please Visit BRKAPP-2002: Server Load balancing Design

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

14

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

7

Server Load Balancing
Also known as content switching; one of the single most important infrastructure service in the data center Key purpose: Load distribution of “Requests”. The Requests could be from Internet, Intranet, or extranet Clients. Layers 3 to 7 content switching capabilities are available with extensive keepalives (server health checks) functionality Layer 4 or Layer 7 proxy can be used as a security perimeter
Application Redundancy Load Distribution Application Health Checks Communication of Load to GSLB Device
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved.

Content Switching Design Decisions
Application protocol and ports (listener ports) End-to-end application flows Direct server access Server management Server initiated sessions Infrastructure design
Cisco Public

15

Content Switching Design Approaches
Bridged Mode: Design
Core-1 Core-2

Key Content Switching Design Options
Agg-2 MSFC2 Bridged mode design Routed mode design with MSFC on client side Routed mode design with MSFC on server side One-armed design

Agg-1 MSFC1
10

Data PortChannel

ACE 1
20

FT PortChannel

ACE 2 Standby

(1) Bridged Mode Design Considerations
Servers default gateway is the HSRP group IP address on the MSFC Broadcast/multicast/route update traffic bridges through No extra configurations for:
Direct access to servers Server initiated sessions

Access

ACE Client-Side VLAN 10 10.10.1.0/24 ACE Server-Side VLAN 20 10.10.1.0/24
BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

RHI possible Load balancer inline of all traffic Easily Deployed in Existing Networks

16

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

8

Content Switching Design Approaches
Bridged Mode: Configuration
CSM
module ContentSwitchingModule 4 ! vlan 10 client ip address 10.10.1.5 255.255.255.0 gateway 10.10.1.1 alias 10.10.1.4 255.255.255.0 ! vlan 20 server ip address 10.10.1.5 255.255.255.0 ! ! interface vlan 20 bridge-group 10 access-group input anyone access-group output anyone no shutdown

ACE
interface vlan 10 bridge-group 10 access-group input anyone access-group output anyone no shutdown

MSFC
! interface Vlan10 ip address 10.10.1.2 255.255.255.0 standby 10 ip 10.10.1.1 standby 10 priority 110 standby 10 preempt !

! interface bvi 10 ip address 10.10.1.5 255.255.255.0 alias 10.10.1.4 255.255.255.0 peer ip address 10.10.1.6 255.255.255.0 no shutdown ! ip route 0.0.0.0 0.0.0.0 10.10.1.1 !

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

17

Content Switching Design Approaches
Bridged Mode: BPDU Forwarding
ACE Configuration to Allow BPDUs
! access-list bpduallow ethertype permit bpdu ! interface vlan 10 bridge-group 10 access-group input bpduallow no shutdown ! interface vlan 20 bridge-group 10 access-group input bpduallow no shutdown !

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

9

Content Switching Design Approaches
Routed Mode: Design
Core-1 Core-2 Core-1 Core-2
Agg-1
MSFC1 Data PortChannel

Agg-2
MSFC2

Agg-1
ACE 1

Data PortChannel

Agg-2
ACE 2 Standby MSFC2

10 20
ACE 1 FT PortChannel ACE 2 Standby

MSFC1 FT PortChannel

30

Access

Access ACE Client-Side VLAN 10 10.10.1.0/24 ACE Server-Side VLAN 20 10.20.1.0/24 ACE Server-Side VLAN 30 10.30.1.0/24 Access Access

ACE Client-Side VLAN 5 10.5.1.0/24 ACE Server-Side VLAN 1 10.10.1.0/24 Server VLAN 20 10.20.1.0/24 Server VLAN 30 10.30.1.0/24

(2A) Routed Mode Design with MSFC on Client Side
Servers default gateway is the alias IP on the CSM/ACE Extra configurations needed for:
Direct access to servers Non-load balanced server initiated sessions

(2B) Routed Mode Design with MSFC on Server Side
Servers default gateway is the HSRP group IP address on the MSFC Extra configurations needed for (simpler the option 2a):
Direct access to servers Non-load balanced server initiated sessions

CSM/ACE’s default gateway is the HSRP group IP address on the MSFC RHI possible Load balancer inline of all traffic
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

ACE/CSM’s default gateway is the core router RHI not possible Server to server communication bypasses the load balancer 19

Content Switching Design Approaches
Routed Mode: Design
Core-1 Core-2

Agg-1
MSFC1 MSFC2

Agg-2

Data PortChannel ACE 1 ACE 2 Standby

(2C) Routed Mode Design with VRF-Lite
VRF-Lite Server Instance

VRF-Lite Server Instance

FT PortChannel

Servers default gateway is the HSRP group IP address on VLANs within the VRF-Lite Instance (SVIs) Extra configurations needed for (simpler the option 2a):
Direct access to servers Non-load balanced server initiated sessions

Access

Access

ACE/CSM’s default gateway is Global MSFCs HSRP IP address RHI is Possible Server to server communication bypasses the load balancer

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

10

Content Switching Design Approaches
Routed Mode: Configuration
CSM
module ContentSwitchingModule 4 ! vlan 10 client ip address 10.10.1.5 255.255.255.0 gateway 10.10.1.1 alias 10.10.1.4 255.255.255.0 ! vlan 20 server ip address 10.20.1.2 255.255.255.0 alias 10.20.1.1 255.255.255.0 ! vlan 30 server ip address 10.30.1.2 255.255.255.0 alias 10.30.1.1 255.255.255.0 ! ! interface vlan 20 ip address 10.20.1.2 255.255.255.0 alias 10.20.1.1 255.255.255.0 peer ip address 10.20.1.3 255.255.255.0 no shutdown

ACE
! interface vlan 10 ip address 10.10.1.5 255.255.255.0 alias 10.10.1.4 255.255.255.0 peer ip address 10.10.1.6 255.255.255.0 no shutdown

MSFC
! interface Vlan10 ip address 10.10.1.2 255.255.255.0 standby 10 ip 10.10.1.1 standby 10 priority 110 standby 10 preempt !

! interface vlan 30 ip address 10.30.1.2 255.255.255.0 alias 10.30.1.1 255.255.255.0 peer ip address 10.30.1.3 255.255.255.0 no shutdown ! ip route 0.0.0.0 0.0.0.0 10.10.1.1

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

Content Switching Design Approaches
One-Armed Mode: Design
Core-1 Core-2

Agg-1
Data PortChannel

Agg-2

10
MSFC1 MSFC2

ACE 1

30 20
FT PortChannel

ACE 2 Standby

(3) One-Armed Design Considerations
Servers default gateway is the HSRP group IP address on the MSFC No extra configurations for:
Direct access to servers Server initiated sessions

Access

Access

LB Server-Side VLAN 10 10.10.1.0/24 Server VLAN 20 Server VLAN 30 10.20.1.0/24 10.30.1.0/24

RHI possible CSM/ACE inline for only server load balanced traffic Only Policy based routing or source NAT can be used for server return traffic redirection to the load balancer
22

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

11

Content Switching Design Approaches
One-Armed Mode: PBR Configuration
MSFC
! interface Vlan10 ip address 10.10.1.2 255.255.255.0 MSFC standby 10 ip 10.10.1.1 ! standby 10 priority 110 interface Vlan20 standby 10 preempt ip address 10.20.1.2 255.255.255.0 ! ip policy route-map FromServersToSLB standby 20 ip 10.20.1.1 standby 20 priority 110 standby 20 preempt ! access-list 121 permit tcp any eq telnet any access-list 121 permit tcp any eq www any access-list 121 permit tcp any eq 443 any access-list 121 deny ip any any ! route-map FromServersToSLB permit 10 match ip address 121 set ip next-hop 10.10.1.4
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

CSM - Asymmetric Routing
! module ContentSwitchingModule 4

variable ROUTE_UNKNOWN_FLOW_PKTS 2
!

ACE - Asymmetric Routing
! ! interface vlan 10 ip address 10.10.1.5 255.255.255.0 alias 10.10.1.4 255.255.255.0 peer ip address 10.10.1.6 255.255.255.0

no normalization
access-group input anyone access-group output anyone no shutdown !

23

Content Switching Design Approaches
One-Armed Mode: Source-NAT Configuration
CSM
! module ContentSwitchingModule 4 !

ACE
! policy-map multi-match SLB-TELNET-POLICY class SLB-TELNET

natpool SRC_NAT 10.10.1.110 10.10.1.110 netmask 255.255.255.0
! ! serverfarm SFARM_NAT nat server !

loadbalance vip inservice loadbalance policy TELNET-POLICY-TYPE loadbalance vip icmp-reply

nat dynamic 1 vlan 10
interface vlan 10 ip address 10.10.1.6 255.255.255.0 alias 10.10.1.4 255.255.255.0 peer ip address 10.10.1.5 255.255.255.0 no normalization access-group input anyone access-group output anyone

nat client SRC_NAT
real 10.20.1.11 inservice real 10.20.1.12 inservice probe TCP !

nat-pool 1 10.10.1.110 10.10.1.110 netmask 255.255.255.0 pat
no shutdown !

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

12

Content Switching Design Approaches
Virtual Context in ACE
Core-1 Core-2 Core-1 Core-2
Agg-1
MSFC1

Data PortChannel

Agg-2
MSFC2

Agg-1
MSFC1

Data PortChannel

Agg-2
MSFC2

ACE1 Control PortChannel

ACE2 Transparent Virtual Contexts

ACE1 Control PortChannel

ACE2 Transparent Virtual Contexts

Access

Access

VC_A VLAN 2 10.20.1.0/24 VC_A VLAN 20 10.20.1.0/24 VC_B VLAN 3 10.30.1.0/24 VC_B VLAN 30 10.30.1.0/24

Access

Access

ACE to MSFC VLAN 12 10.12.1.0/24 ACE to MSFC VLAN 13 10.13.1.0/24 VC_2 VLAN 30 10.30.1.0/24 VC_1 VLAN 20 10.20.1.0/24

(4A) Bridged Context
context VC_A allocate-interface vlan 2 allocate-interface vlan 20 member VC_A_RESRC ! context VC_B allocate-interface vlan 3 allocate-interface vlan 30 member VC_B_RESRC
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

(4B) Routed Context
context VC_A allocate-interface vlan 12 allocate-interface vlan 21 allocate-interface vlan 22 member VC_1_RESRC ! context VC_B allocate-interface vlan 13 allocate-interface vlan 31 member VC_2_RESRC
25

Content Switching Design Approaches
Virtual Context in ACE: Configuration
resource-class VC_1 limit-resource all minimum 20.00 maximum equal-to-min resource-class VC_2 limit-resource all minimum 0.00 maximum unlimited limit-resource conc-connections minimum 40.00 maximum equal-to-min limit-resource sticky minimum 40.00 maximum equal-to-min ! context VC_A description Context for initial client request allocate-interface vlan 5 allocate-interface vlan 10 member VC_1 context VC_B description Context for second tier of internal VIPs allocate-interface vlan 15 allocate-interface vlan 20 allocate-interface vlan 30 member VC_2 ft interface vlan 31 ip address 10.31.1.1 255.255.255.0 peer ip address 10.31.1.2 255.255.255.0 no shutdown ft peer 1 heartbeat interval 300 heartbeat count 10 ft-interface vlan 31 ft group 11 peer 1

priority 110
peer priority 105 associate-context VC_A inservice ft group 22 peer 1

priority 105
peer priority 110 associate-context VC_B inservice

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

13

Content Switching Designs Summary
(1) Bridge Mode Default Gateway of Servers Direct Access to Servers HSRPIP on SRP IP on MSFC No Extra extra Configuration configuration Needed needed (2A) Routed (2B) Routed Mode MSFC on Mode MSFC on Client Side Server Side Alias IP on CSM Extra Configuration configuration Needed needed HSRP IP on MSFC (3) One-Armed HSRP IP on MSFC CSM Is is Bypassed bypassed

Servers Originated Connections Multicast Support Layer 2 Loops
BRKDCT-2703 14583_04_2008_c1

Extra Configuration configuration Needed, may needed, May Bypass CSM bypass Extra Extra No Extra Configuration extra configuration Configuration mayMay Be Configuration configuration configuration be needed, May Be Needed Needed, May Needed needed may be needed may bypass Bypass CSM CSM Not Supported, Supported, supported, Supported, Bridges Not Supported server to server Server to supported bridges through Through Server Works works Possible If if Misconfigured misconfigured
Cisco Public

CSM Is is Bypassed bypassed Supported as CSM Is is Bypassed bypassed Not Possible possible
27

Not Possible possible

Not Possible possible

© 2008 Cisco Systems, Inc. All rights reserved.

SSL Offload

Please Visit BRKCDT-3703: SSL Offload for DC Backend Server Farm

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

28

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

14

Network-Based SSL Offload
Core-1 Core-2

Key Motivations
Agg-1
Data PortChannel CSM 1

Agg-2

10
MSFC1 MSFC2

CSM 2

40 20
SSLM 1

30

FT PortChannel SSLM 2

Offload SSLdecryption/ encryption from servers Redundancy Scalability Unified management of SSL certificates Layer 7 based load balancing and sticky possible for HTTPS

SSL Offload Design
Access Access

CSM Server-Side VLAN 10 10.10.1.0/24 Server VLAN 20 Server VLAN 30 SSLM VLAN 40
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved.

10.20.1.0/24 10.30.1.0/24 10.40.1.0/24
Cisco Public

In ACE (Application Control Engine) SSL Offload is built in on the module Simply add the SSLMs on a VLAN connected to the ACE SSLMs default gateway would be the alias IP on the ACE Backend SSL requires no design change
29

SSL Services Module
Configuration Tips: Admin VLAN and Data VLAN

One VLAN on the SSL Module Has to Be “Admin VLAN” The “Admin VLAN” Can Also Carry Data Traffic

Make Sure That the Admin VLAN Has a Route to the CA, TFTP Server, Management Stations, Etc.

The Default Gateway of the Admin VLAN Is the Module Default Gateway Admin

SSL
Data

SSL
Admin and Data

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

30

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

15

Data Center Security

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

31

Firewall Design Approaches
Layer 2
Core-1 Core-2

Key Firewall Design Options
Bridged mode design, also known as transparent or stealth firewall Routed mode design, also known as Layer 3 firewall Virtual firewall contexts for Layer 2 or Layer 3 mode

Agg-1 MSFC1

Data PortChannel

Agg-2 MSFC2

FWSM1

Control PortChannel

FWSM2

(1) Layer 2 (Transparent) Firewall Design Considerations
Servers default gateway is the HSRP group IP address on the MSFC Broadcast/multicast/route update traffic bridges through Bump on the wire; easy integration Currently two VLANs can be merged
32

Access

DMZ-1 VLAN 20 10.20.1.0/24
BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

16

Firewall Design Approaches
Layer 3
Core-1 Core-2

Agg-1 MSFC1 FWSM1

Data PortChannel

Agg-2 MSFC2 FWSM2

Control PortChannel

(2) Layer 3 Firewall Design Considerations
Servers default gateway is the IP address on the firewall Dynamic routing is supported

Access

Access

FWSM to MSFC VLAN 10 10.10.1.0/24 DMZ-1 VLAN 20 DMZ-1 VLAN 30 10.20.1.0/24 10.30.1.0/24
33

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Firewall Design Approaches
Virtual Context
It’s the ability to segment a single physical firewall into multiple virtualized instances Multiple interfaces/ VLANs within Layer 3 virtual contexts are supported Multiple bridge pairs for Layer 2 virtual contexts are supported
ON MSFC
firewall multiple-vlan-interfaces firewall module 7 vlan-group 100 firewall vlan-group 100 21-25,50-53

ON FIREWALL
CAT1-FWSM-SYS# conf t CAT1-FWSM-SYS(config)# firewall ?

Usage: [no | clear | show ] firewall [transparent]
FWSM(config)# FWSM(config)# mode ?

Usage: mode single | multiple
FWSM(config)# FWSM#

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

34

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

17

Firewall Design Approaches
Virtual Context
Core-1 Core-2 Core-1 Core-2
Agg-1
MSFC1

Data PortChannel

Agg-2
MSFC2

Agg-1
MSFC1

Data PortChannel

Agg-2
MSFC2

FWSM2 Control PortChannel

FWSM2 Transparent Virtual Contexts

FWSM2 Control PortChannel

FWSM2 Transparent Virtual Contexts

Access

Access FWA VLAN 20 10.20.1.0/24 FWB VLAN 30 10.30.1.0/24

Access

Access

FWSM to MSFC VLAN 12 10.12.1.0/24 FWSM to MSFC VLAN 13 10.13.1.0/24 DMZ-1 VLAN 20 DMZ-2 VLAN 30 10.20.1.0/24 10.30.1.0/24

(3A) Transparent Context
context FWA allocate-interface vlan2 allocate-interface vlan20 config-url disk:/FWA.cfg ! context FWB allocate-interface vlan3 allocate-interface vlan30 config-url disk:/FWB.cfg
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

(3B) Routed Context
context FW1 allocate-interface vlan12 allocate-interface vlan20 config-url disk:/FW1.cfg ! context FW2 allocate-interface vlan13 allocate-interface vlan30 config-url disk:/FW2.cfg
35

Firewall Designs Summary
(1) Bridge Mode Layer 2 Default Gateway of Servers Multicast Support (2) Routed Mode Layer 3 (3A) Virtual Context Layer 2 (3B) Virtual Context Layer 3

HSRP IP on HSRP IP on MSFC MSFC Supported Supported

Alias IP on Primary IP CSM on FW Supported Supported

HSRP IP on HSRP IP on MSFC MSFC Supported Supported

HSRP IPIP Primary on MSFC on FW Supported Supported

Layer 2 Loops

Possible if Possible If misconfigured Misconfigured Multiple VLANs allowed Allowed

Not possible Not Possible

Possible if Possible If misconfigured Misconfigured

Not possible Not Possible

VLAN Usage

Multiple VLANs allowed Allowed

Multiple VLANs Multiple VLANs Multiple VLANS Multiple VLANS per VC, Cannot per VC, Can per VC, cannot per VC, cannot Share VLANs Share VLANs share VLANs share VLANs Across VCs Across VCs

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

36

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

18

Firewall Services Module
Configuration Tips for Getting Started
FWSM Define the VLANs the FWSM Will Protect in Switch Configuration Mode

C6509# config t C6509(config)#vlan 200 C6509(config)#vlan 201 C6509(config)#vlan 202

Create a Firewall Group for the FWSM to Manage
C6509(config)#firewall vlan-group 100 200-202

VLAN Group Identifier Attach Firewall Group to FWSM

VLANs Defined in Previous Step

C6509(config)#firewall module 6 vlan-group 100
BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Slot Where FWSM Installed in Chassis 37

Firewall Services Module (Cont.)
Configuration Tips for Getting Started
FWSM

Some Initial Configuration FWSM Configuration Statements
FWSM# wr t Building configuration... : Saved : FWSM Version 3.1(1) <snip> ! interface Vlan200 nameif inside security-level 100 ip address 10.130.1.12 255.255.255.0 ! <snip> icmp permit any inside <snip> http server enable http 192.168.1.0 255.255.255.0 inside <snip> telnet 192.168.1.0 255.255.255.0 inside
BRKDCT-2703 14583_04_2008_c1

Define VLAN Interfaces and Associate Security Levels Use This Statement for Each Interface That You Want to Respond to Pings— Without It No Pings Will Be Answered

If You Want to Use PDM to Configure the FWSM, Then You Need to Enable HTTP and Specify the IP Address of Each User Requiring Access

If You Want to Use Telnet to the FWSM Through a FWSM Interface, Then You Need to Define a Telnet Statement for Each User Requiring Access
38

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

19

Integrated Data Center Design Options

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

39

Data Center Services Design Options
We understand what products and devices are available in the data center to provide the services of security, server load balancing, SSL offload etc. We understand design options of individual products Let’s look at different ways of integrating these products Each design consists of three redundant layers—core, aggregation, and access
(1) FW on Core With ACE/CSM on Aggregation in Layer 3 (2) FW and ACE on Aggregation with ACE/CSM in Layer 2 and FW in Layer 3 (3) FW and ACE on Aggregation with ACE/CSM in One-Armed and FW in Layer 3 (4) FW and ACE on Aggregation with ACE/CSM in One-Armed and FW in Layer 2 Secure Internal Segment
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

40

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

20

Physical Topology

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

41

Design (1): Firewall on Core;
ACE/CSM on Aggregation in Layer 3 Mode
Security Details
WAN
Cat6509-Core-1 Cat6509-Core-2

VLAN 2

VLAN 2

VLAN 3

Cat6513-Agg-1

Data PortChannel

Cat6513-Agg-2

VLAN 3

Layer 3 firewall used Firewall perimeter at the core Aggregation and access are considered trusted zones Security perimeter not possible between Web/App/DB tiers In the aggregation layer, some security using VLAN tags on the CSM is possible

SSL Termination on ACE VLAN 16 ACE-1 VLAN 17
VLAN 200

Content Switching Details
ACE-2 VLAN 17

Control PortChannel VLAN 18 VLAN 19 VLAN 18 VLAN 19 Web VLAN App VLAN DB VLAN

ACE/CSM is used in routed design Servers default gateway is the ACE/CSM alias IP address Extra configurations needed for:
Direct access to servers Non-load balanced server initiated sessions

Cat6509-Access-1

Cat6509-Access-2

App Server Web Server
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved.

DB Server
Cisco Public

ACE/CSM’s default gateway is the HSRP group IP on the MSFC Since MSFC is directly connected to the ACE/CSM, RHI is possible All to/from traffic, load balanced/ non-load balanced servers go through the CSM
42

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

21

Design (1): Firewall on Core;
ACE/CSM on Aggregation in Layer 3 Mode
Configuration Snapshots
MSFC SVI module ContentSwitchingModule 3 vlan 16 client ip address 10.16.1.12 255.255.255.0 gateway 10.16.1.1 alias 10.16.1.11 255.255.255.0 ! vlan 17 server ip address 10.17.1.2 255.255.255.0 alias 10.17.1.1 255.255.255.0 ! vlan 18 server ip address 10.18.1.2 255.255.255.0 alias 10.18.1.1 255.255.255.0 ! vlan 19 server ip address 10.19.1.2 255.255.255.0 alias 10.19.1.1 255.255.255.0 interface Vlan16 ip address 10.16.1.2 255.255.255.0 standby 16 ip 10.16.1.1 standby 16 priority 150

serverfarm ROUTE no nat server no nat client predictor forward ! vserver ROUTE virtual 0.0.0.0 0.0.0.0 any serverfarm ROUTE inservice

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

43

Design (1): Firewall on Core;
ACE/CSM on Aggregation in Layer 3 Mode:
Session Flows
WAN
Cat6509-Core-1 Cat6509-Core-2 Cat6509-Core-1

WAN
Cat6509-Core-2

VLAN 2

VLAN 2

VLAN 2

VLAN 2

VLAN 3

Firewall Makes Security Data Cat6513-Agg-1 Decisions Cat6513-Agg-2 PortChannel

VLAN 3

VLAN 3

Firewall Makes Security Data Cat6513-Agg-1 Decisions Cat6513-Agg-2 PortChannel

VLAN 3

ACE-1 VLAN 17

VLAN 200 ACE Makes SLBControl Decision

ACE-2 VLAN 17

ACE-1 VLAN 17

ACE Routes VLAN 200
Control PortChannel

ACE-2 VLAN 17

PortChannel

VLAN 18 VLAN 19

VLAN 18 VLAN 19 Web VLAN App VLAN DB VLAN

VLAN 18 VLAN 19

VLAN 18 VLAN 19 Web VLAN App VLAN DB VLAN

Cat6509-Access-1

Cat6509-Access-2

Cat6509-Access-1

Cat6509-Access-2

App Server Web Server

DB Server

App Server Web Server

DB Server

Load Balanced Session Flow
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Server Management Session Flow
44

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

22

Design (2): Firewall and ACE/CSM on Aggregation;
FW in Layer 3 and ACE/CSM in Layer 2 Mode
WAN
Cat6509-Core-1 Cat6509-Core-2

Security Details
VLAN 2

VLAN 2

Layer 3 firewall used with single contexts Firewall perimeter at the core Firewall perimeter is used in the aggregation between Web/App/DB tiers

VLAN 3

Cat6513-Agg-1

Data PortChannel

Cat6513-Agg-2

VLAN 3

Content Switching Details
VLAN 16

SSL Termination on ACE FWSM2 VLAN 8 VLAN 9 VLAN 8 VLAN 9 VLAN 7 ACE-2 VLAN 18 VLAN 19 Web VLAN App VLAN DB VLAN VLAN 17

FWSM1 VLAN 7 ACE-1 VLAN 17 VLAN 18 VLAN 19

Multiple Control PortChannels

ACE/CSM is used in bridged design with multiple bridged VLAN pairs Servers default gateway is the firewall primary IP address No extra configurations needed for:
Direct access to servers Non-load balanced server initiated sessions

Cat6509-Access-1

Cat6509-Access-2

ACE/CSM’s default gateway is the firewall primary IP address Since MSFC is not directly connected to the ACE/CSM, RHI is not possible All to/from traffic, load balanced/ non-load balanced servers go through the ACE/CSM
45

App Server Web Server
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved.

DB Server
Cisco Public

Design (2): Firewall and ACE/CSM on Aggregation;
FW in Layer 3 and ACE/CSM in Layer 2 Mode
Configuration Snapshots
MSFC SVI module ContentSwitchingModule 3 ! vlan 7 client ip address 10.17.1.11 255.255.255.0 gateway 10.17.1.1 ! vlan 17 server ip address 10.17.1.11 255.255.255.0 ! vlan 8 client ip address 10.18.1.11 255.255.255.0 gateway 10.18.1.1 ! vlan 18 server ip address 10.18.1.11 255.255.255.0 ! interface Vlan16 ip address 10.16.1.2 255.255.255.0 standby 16 ip 10.16.1.1 standby 16 priority 150

VLANS ON THE FIREWALL VLAN16 (towards the MSFC) Inside Server VLANs VLAN7 VLAN8 VLAN9
46

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

23

Design (2): Firewall and ACE/CSM on Aggregation;
FW in Layer 3 and ACE/CSM in Layer 2 Mode
Session Flows
WAN
Cat6509-Core-1 Cat6509-Core-2 Cat6509-Core-1

WAN
Cat6509-Core-2

VLAN 2

VLAN 2

VLAN 2

VLAN 2

VLAN 3

Core Firewall Makes Data Security Cat6513-Agg-2 Cat6513-Agg-1 PortChannel Decisions
VLAN 11 Internal DMZs Perimeters VLAN 8 VLAN 9 VLAN 8 Multiple Control VLAN 9

VLAN 3

VLAN 3

Cat6513-Agg-1

SSLM1

Data PortChannel

Cat6513-Agg-2

VLAN 3

FWSM1
VLAN 7

FWSM2
VLAN 7

FWSM1
VLAN 7 VLAN 8 VLAN 9

VLAN 11 Internal DMZs Perimeters VLAN 8 Multiple Control VLAN 9

FWSM2
VLAN 7

ACE-1
VLAN 17 VLAN 18 VLAN 19

ACE Makes PortChannels SLB Decision
Web VLAN App VLAN DB VLAN

ACE-2
VLAN 18 VLAN 19 VLAN 17

ACE-1
VLAN 17 VLAN 18 VLAN 19

ACE Bridges PortChannels Traffic
Web VLAN App VLAN DB VLAN

ACE-2
VLAN 18 VLAN 19 VLAN 17

Cat6509-Access-1

Cat6509-Access-2

Cat6509-Access-1

Cat6509-Access-2

App Server Web Server

DB Server

App Server Web Server

DB Server

Load Balanced Session Flow
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Web Server to App Server Session Flow
47

Design (3): Firewall and ACE/CSM on Aggregation;
FW in Layer 3 and ACE/CSM in One-Armed Mode
WAN
Cat6509-Core-1 Cat6509-Core-2

Security Details
VLAN 2

VLAN 2

Layer 3 firewall used with single contexts Firewall perimeter at the core Firewall perimeter is used in the aggregation between Web/App/DB tiers

VLAN 3

Cat6513-Agg-1

Data PortChannel

Cat6513-Agg-2

VLAN 3

Content Switching Details
VLAN 16 VLAN 15 SSL Termination on ACE

ACE-1 FWSM1 VLAN 17 VLAN 18 VLAN 19

Multiple Control PortChannels

ACE-2 FWSM2 VLAN 18 VLAN 19 VLAN 17

ACE/CSM is used in a one-armed fashion Servers default gateway is the firewall primary IP address No extra configurations needed for:
Direct access to servers Non-load balanced server initiated sessions

Web VLAN App VLAN DB VLAN

Cat6509-Access-1

Cat6509-Access-2

ACE/CSM’s default gateway is the HSRP group address on the MSFC Since MSFC is directly connected to the ACE/CSM, RHI is possible All non-load balanced traffic to/from servers will bypass the ACE/CSM

App Server Web Server
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved.

DB Server
Cisco Public

48

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

24

Design (3): Firewall and CSM on Aggregation;
FW in Layer 3 and CSM in One-Armed Mode
module ContentSwitchingModule 3 vlan 15 server ip address 10.15.1.12 255.255.255.0 gateway 10.15.1.1 alias 10.15.1.11 255.255.255.0 ! interface Vlan16 ip address 10.16.1.2 255.255.255.0 standby 16 ip 10.16.1.1 standby 16 priority 150 VLANS ON THE FIREWALL VLAN16 (towards the MSFC) DMZ VLANs VLAN17 VLAN18 VLAN19
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

MSFC SVI interface Vlan15 ip address 10.15.1.2 255.255.255.0 standby 15 ip 10.15.1.1 standby 15 priority 150

49

Design (3): Firewall and CSM on Aggregation;
FW in Layer 3 and CSM in One-Armed Mode:
Session Flows (1 of 2)
WAN
Cat6509-Core-1 Cat6509-Core-2 Cat6509-Core-1

WAN
Cat6509-Core-2

VLAN 2

VLAN 2

VLAN 2

VLAN 2

PBR/ SRC- 3 VLAN NAT

Core Firewall Makes Data Security Cat6513-Agg-2 Cat6513-Agg-1 PortChannel Decisions
ACE-1 ACE-2

VLAN 3

VLAN 3 Cat6513-Agg-1

Data PortChannel

VLAN 3 Cat6513-Agg-2

ACE-1

ACE-2

ACE Makes SLB Decision Multiple Control
FWSM1
VLAN 17 VLAN 18 VLAN 19 PortChannels

ACE Is Bypassed
FWSM2
VLAN 18 VLAN 19 VLAN 17

Internal DMZs Perimeters
Web VLAN App VLAN DB VLAN

FWSM1
VLAN 17 VLAN 18 VLAN 19

Multiple Control PortChannels

Internal DMZs Perimeters
Web VLAN App VLAN DB VLAN

FWSM2
VLAN 18 VLAN 19 VLAN 17

Cat6509-Access-1

Cat6509-Access-2

Cat6509-Access-1

Cat6509-Access-2

App Server Web Server
BRKDCT-2703 14583_04_2008_c1

DB Server

App Server Web Server

DB Server

Load Balanced Session Flow
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Web Server to App Server Session Flow
50

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

25

Design (3): Firewall and ACE/CSM on Aggregation;
FW in Layer 3 and CSM in One-Armed Mode
Session Flows (2 of 2)
WAN
Cat6509-Core-1 Cat6509-Core-2 VLAN 2 VLAN 2

VLAN 3

Firewall Makes Security Data Cat6513-Agg-1 Decisions Cat6513-Agg-2
PortChannel

VLAN 3

ACE-1

ACE-2

ACE Is Bypassed Multiple Control
FWSM1
VLAN 17 VLAN 18 VLAN 19 PortChannels

Internal DMZs Perimeters
Web VLAN App VLAN DB VLAN

FWSM2
VLAN 18 VLAN 19 VLAN 17

Cat6509-Access-1

Cat6509-Access-2

App Server Web Server

DB Server

Server Management Session Flow
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

51

Design (4): Firewall and ACE/CSM on Aggregation;
FW in Layer 2 and CSM in One-Armed Mode [Secure Internal Segment] Security Details
WAN
Cat6509-Core-1 VLAN 12 Cat6513-Agg-1
Secure Internal Cat6513-Agg-2 Segment

Cat6509-Core-2 VLAN 12

Data PortChannel

VLAN 2

VLAN 11 SSL Termination on ACE VLAN 7 VLAN 7 VLAN 8 VLAN 8 VLAN 9 VLAN 9
Multiple Control PortChannels

VLAN 2

Layer 2 firewall used with multiple contexts Firewall perimeter at outside, internal and each DMZ Agg MSFC is a secure internal segment with protection from each connected network Secure internal segment is protected from malicious activity from each DC network

Content Switching Details
ACE/CSM is used in a one-armed fashion Servers default gateway is the HSRP group IP address No extra configurations needed for:
Direct access to servers Non-load balanced server initiated sessions

FWSM1 VLAN 17 VLAN 18 VLAN 19 VLAN 18 VLAN 19

FWSM2 VLAN 17

Web VLAN App VLAN DB VLAN

Cat6509-Access-1

Cat6509-Access-2

BRKDCT-2703 14583_04_2008_c1

App Server Web Server
© 2008 Cisco Systems, Inc. All rights reserved.

DB Server
Cisco Public

ACE/CSM’s default gateway is the HSRP group address on the MSFC Since MSFC is directly connected to the ACE/CSM, RHI is possible All non-load balanced traffic to/from servers will bypass the ACE/CSM
52

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

26

Design (4): Firewall and ACE/CSM on Aggregation;
FW in Layer 2 and CSM in One-Armed Mode [Secure Internal Segment]
module ContentSwitchingModule 3 vlan 15 server ip address 10.15.1.12 255.255.255.0 gateway 10.15.1.1 alias 10.15.1.11 255.255.255.0 ! vlan 11 server ip address 10.11.1.2 255.255.255.0 alias 10.11.1.1 255.255.255.0 MSFC SVI interface Vlan15 Description VLAN Towards ACE ip address 10.15.1.2 255.255.255.0 standby 15 ip 10.15.1.1 standby 15 priority 150 ! interface Vlan7 ip address 10.17.1.2 255.255.255.0 standby 17 ip 10.17.1.1 standby 17 priority 150 ! interface Vlan8 ip address 10.18.1.2 255.255.255.0 standby 18 ip 10.18.1.1 standby 18 priority 150 ! interface Vlan9 ip address 10.19.1.2 255.255.255.0 standby 19 ip 10.19.1.1 standby 19 priority 150
53

FIREWALL CONTEXTS context DB allocate-interface vlan7 allocate-interface vlan17 config-url disk:/DB.cfg ! context APP allocate-interface vlan8 allocate-interface vlan18 config-url disk:/APP.cfg
BRKDCT-2703 14583_04_2008_c1

context WEB allocate-interface vlan9 allocate-interface vlan19 config-url disk:/WEB.cfg

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Real-World Deployments

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

54

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

27

Real-World Deployments
Firewall All DMZs and Networks Goal
Ensure high security within the data center All tiers (Web/App/DB) are untrusted Sessions between servers should be locked down to particular ports Ensure non load balanced traffic bypass the content switch

Solution
Transparent virtual contexts used on the FWSM to seamlessly integrate a firewall perimeter on each of data center VLANs Content switch deployed in a one-armed fashion

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

55

Real-World Deployments
Firewall All DMZs and Networks
CSS11506_1
Secure Internal Segment

CSS11506_2

VLAN 41 10.32.222.0/30
Cat6509-Core-1 Data PortChannel Cat6509-Core-2

Design Approach
Layer 2 firewall used with multiple contexts Firewall perimeter at outside, internal and each DMZ Agg MSFC is a secure internal segment with protection from each connected network Secure internal segment is protected from malicious activity from each DC network/VLAN Access switches setup in Layer 2 approach CSS11506 is used in a one-armed fashion Since it is not supported on transparent FW, NAT is performed on the MSFC

MSFC
VLAN 200

MSFC

VLAN 6 VLAN 14

VLAN 5 VLAN 3

LAN FailOver PortChannel
VLAN 201

FWSM1

StateLink PortChannel

FWSM2

VLAN 103 10.73.222.0/27 Web Server 1 Web Server 2 VLAN 105 10.73.222.32/28 App Server 1 App Server 2 VLAN 114 10.73.220.0/23 Internal Router VLAN 106 10.10.137.0/24 Edge Router 1 Internet
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Content Switching Details
Servers default gateway is the HSRP group IP address on agg switches CSS’s default gateway is the HSRP group address on the MSFC on VLAN 40 Since MSFC is directly connected to the ACE, RHI is possible All non-load balanced traffic to/from servers will bypass the CSS11506
56

Inside Core

Edge Router 2

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

28

Real-World Deployments
Firewall All DMZs and Networks
context WEB allocate-interface vlan3 allocate-interface vlan103 config-url disk:/WEB.cfg ! context APP allocate-interface vlan5 allocate-interface vlan105 config-url disk:/APP.cfg PBR for Production Web Apps access-list 121 permit tcp any eq www any access-list 121 permit tcp any eq 443 any access-list 121 deny ip any any ! route-map FromDMZWebSendToCSS permit 10 match ip address 121 set ip next-hop 10.73.222.196 ! interface Vlan3 description DMZWeb ip policy route-map FromDMZWebSendToCSS MSFC SVI interface Vlan3 description DMZWeb ip address 10.73.222.2 255.255.255.224 standby 3 ip 10.73.222.1 standby 3 priority 150 ip nat inside ! interface Vlan6 description Outside ip address 10.10.137.2 255.255.255.0 standby 6 ip 10.10.137.1 standby 6 priority 150 ip nat outside ! interface Vlan40 description CSSVLAN ip address 10.73.222.194 255.255.255.192 standby 40 ip 10.73.222.193 standby 40 priority 150 ip nat inside

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

Real-World Deployments (Nexus)
Trust with Caution Goal
Firewall perimeter needed to protect against the outside world which includes internet clients and partners Secure VPN is needed for access into the data center All tiers are trusted as extensive application hardening is deployed Session monitoring is essential

Solution
Routed virtual contexts used on the FWSM to create multiple perimeters on the core switches; this ensures protection from internet clients and from partners Content switching module is deployed in a one-armed fashion Layer 3 routing is used between the tiers Network and host based IPS are deployed to monitor sessions
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

58

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

29

Q and A

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

59

Recommended Reading
Solutions Reference NetworkDesign (SRND)
www.cisco.com/go/srnd

Continue your Networkers at Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books Designing Content Switching Solutions: ISBN: 158705213X
By Zeeshan Naseh, Haroon Khan

Available Onsite at the Cisco Company Store
BRKDCT-2703 14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

60

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

30

Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

61

BRKDCT-2703 14583_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

62

© 2008, Cisco Systems, Inc. All rights reserved. 14583_04_2008_c1.scr

31