Professional Documents
Culture Documents
Services (Interoperability,
Design and Deployment)
BRKDCT-2703
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Data Center
Components
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4
Presentation Servers
Web front end servers that provides the interface
to the clients, e.g., Apache, IIS, etc.
DB Servers
Oracle, Sybase, etc.
Data
NAS, SAN…
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Application Solution
Linux/HP,
Solaris/SunFire,
WebLogic, J2EE Custom
App, Etc.
Database Solution
Linux/HP, Solaris/
SunFire, Oracle 10G
RAC, Etc.
Storage Solution
MDS9000
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Internal Internet
Network Service Service
Provider A Provider B
Edge Routers
Core Switches
Aggregation Switches
Access Switches
WEB Tier
Application Tier
Database Tier
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12
IP Network
FCIP Link
FC FC
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Please Visit
BRKAPP-2002: Server Load balancing Design
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14
Core-1 Core-2
Key Content Switching
Design Options
Bridged mode design
Agg-1 Agg-2 Routed mode design with MSFC on
Data client side
PortChannel
Routed mode design with MSFC on
MSFC1 MSFC2
server side
10 One-armed design
!
access-list bpduallow ethertype permit bpdu
!
interface vlan 10
bridge-group 10
access-group input bpduallow
no shutdown
!
interface vlan 20
bridge-group 10
access-group input bpduallow
no shutdown
!
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18
10 ACE 1 ACE 2
Standby
FT MSFC1 MSFC2
ACE 1 ACE 2 FT
20 PortChannel
Standby PortChannel
30
Access Access
ACE Client-Side VLAN 10 10.10.1.0/24 Access Access ACE Client-Side VLAN 5 10.5.1.0/24
ACE Server-Side VLAN 20 10.20.1.0/24 ACE Server-Side VLAN 1 10.10.1.0/24
ACE Server-Side VLAN 30 10.30.1.0/24 Server VLAN 20 10.20.1.0/24
Server VLAN 30 10.30.1.0/24
(2A) Routed Mode Design with MSFC (2B) Routed Mode Design with MSFC
on Client Side on Server Side
Servers default gateway is the alias IP Servers default gateway is the HSRP
on the CSM/ACE group IP address on the MSFC
Extra configurations needed for: Extra configurations needed for
Direct access to servers (simpler the option 2a):
Non-load balanced server initiated sessions Direct access to servers
CSM/ACE’s default gateway is the HSRP Non-load balanced server initiated sessions
group IP address on the MSFC ACE/CSM’s default gateway is the core
RHI possible router
Load balancer inline of all traffic RHI not possible
Server to server communication bypasses
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
the load balancer 19
Core-1 Core-2
Agg-1 Agg-2
MSFC1 MSFC2
Data
PortChannel
(2C) Routed Mode Design with VRF-Lite
ACE 1 ACE 2 Standby
Servers default gateway is the HSRP
group IP address on VLANs within the
VRF-Lite VRF-Lite VRF-Lite Instance (SVIs)
Server Instance Server Instance
Extra configurations needed for
FT
PortChannel
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Agg-1 Agg-2
Data
PortChannel
10
MSFC1 MSFC2
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23
CSM ACE
!
!
policy-map multi-match SLB-TELNET-POLICY
module ContentSwitchingModule 4
class SLB-TELNET
!
loadbalance vip inservice
natpool SRC_NAT 10.10.1.110 10.10.1.110 netmask
255.255.255.0 loadbalance policy TELNET-POLICY-TYPE
! loadbalance vip icmp-reply
! nat dynamic 1 vlan 10
serverfarm SFARM_NAT !
nat server interface vlan 10
nat client SRC_NAT ip address 10.10.1.6 255.255.255.0
real 10.20.1.11 alias 10.10.1.4 255.255.255.0
inservice peer ip address 10.10.1.5 255.255.255.0
real 10.20.1.12 no normalization
inservice access-group input anyone
probe TCP access-group output anyone
! nat-pool 1 10.10.1.110 10.10.1.110 netmask
255.255.255.0 pat
no shutdown
!
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24
Transparent Transparent
Control Virtual Control Virtual
PortChannel Contexts PortChannel Contexts
resource-class VC_1
ft interface vlan 31
limit-resource all minimum 20.00 maximum equal-to-min
ip address 10.31.1.1 255.255.255.0
resource-class VC_2
peer ip address 10.31.1.2 255.255.255.0
limit-resource all minimum 0.00 maximum unlimited
no shutdown
limit-resource conc-connections minimum 40.00 maximum
ft peer 1
equal-to-min
heartbeat interval 300
limit-resource sticky minimum 40.00 maximum equal-to-min
heartbeat count 10
!
ft-interface vlan 31
context VC_A
ft group 11
description Context for initial client request
peer 1
allocate-interface vlan 5
allocate-interface vlan 10 priority 110
SSL Offload
Please Visit
BRKCDT-3703: SSL Offload for DC Backend Server Farm
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28
Key Motivations
Offload SSLdecryption/ encryption
Agg-1 Agg-2 from servers
Redundancy
Data
PortChannel
Scalability
CSM 1
10
CSM 2 Unified management of SSL
MSFC1 MSFC2 certificates
40
Layer 7 based load balancing and
30
FT sticky possible for HTTPS
20 PortChannel
SSLM 1 SSLM 2
Admin
SSL SSL
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31
Core-1 Core-2
Agg-1 Data
Agg-2
PortChannel
MSFC1 MSFC2
FWSM1 FWSM2
Control
PortChannel (2) Layer 3 Firewall
Design Considerations
Servers default gateway is
the IP address on the firewall
Dynamic routing is supported
Access Access
FWSM to MSFC VLAN 10 10.10.1.0/24
DMZ-1 VLAN 20 10.20.1.0/24
DMZ-1 VLAN 30 10.30.1.0/24
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33
instances ON FIREWALL
Multiple interfaces/ CAT1-FWSM-SYS# conf t
CAT1-FWSM-SYS(config)# firewall ?
VLANs within Layer 3 Usage: [no | clear | show ] firewall [transparent]
virtual contexts are FWSM(config)#
supported FWSM(config)# mode ?
virtual contexts
are supported
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34
Transparent Transparent
Control Virtual Control Virtual
PortChannel Contexts PortChannel Contexts
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35
Default
HSRP IP
HSRP IP on
on Alias IP IP
Primary on HSRP IP
HSRP IP on
on HSRP IPIP
Primary on
Gateway
MSFC
MSFC CSM
on FW MSFC
MSFC MSFC
on FW
of Servers
PossibleIfif
Possible Possible Ifif
Possible
Layer 2 Loops Not Possible
Not possible Not Possible
Not possible
misconfigured
Misconfigured misconfigured
Misconfigured
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36
C6509# config t
C6509(config)#vlan 200
C6509(config)#vlan 201
C6509(config)#vlan 202
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Slot Where FWSM Installed in Chassis
37
FWSM
Some Initial Configuration FWSM
Configuration Statements
Define VLAN Interfaces and
FWSM# wr t Associate Security Levels
Building configuration...
: Saved Use This Statement for Each Interface
: That You Want to Respond to Pings—
FWSM Version 3.1(1)
<snip>
Without It No Pings Will Be Answered
!
interface Vlan200
nameif inside If You Want to Use PDM to Configure
security-level 100
ip address 10.130.1.12 255.255.255.0 the FWSM, Then You Need to Enable
! HTTP and Specify the IP Address of
<snip> Each User Requiring Access
icmp permit any inside
<snip>
http server enable
http 192.168.1.0 255.255.255.0 inside If You Want to Use Telnet to the FWSM
<snip> Through a FWSM Interface, Then You
telnet 192.168.1.0 255.255.255.0 inside Need to Define a Telnet Statement for
Each User Requiring Access
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43
ACE Makes
VLAN 200 ACE Routes
VLAN 200
ACE-1 ACE-2 ACE-1 ACE-2
SLBControl
Decision Control
PortChannel PortChannel
VLAN 17 VLAN 17 VLAN 17 VLAN 17
VLAN 18 VLAN 18 VLAN 18 VLAN 18
VLAN 19 VLAN 19 VLAN 19 VLAN 19
App Server Web Server DB Server App Server Web Server DB Server
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44
VLAN 11 VLAN 11
FWSM1 Internal DMZs FWSM2 FWSM1 Internal DMZs FWSM2
Perimeters Perimeters
VLAN 7 VLAN 8 VLAN 8 VLAN 7 VLAN 7 VLAN 8 VLAN 8 VLAN 7
VLAN 9 VLAN 9 VLAN 9 VLAN 9
Multiple Control Multiple Control
ACE-1 ACE Makes
PortChannels ACE-2 ACE-1 ACE Bridges
PortChannels ACE-2
SLB Decision Traffic
VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 17 VLAN 18 VLAN 18 VLAN 17
VLAN 19 VLAN 19 VLAN 19 VLAN 19
App Server Web Server DB Server App Server Web Server DB Server
Load Balanced Session Flow Web Server to App Server Session Flow
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47
ACE-1 ACE-2
ACE-1 ACE-2
ACE Is
ACE Makes
Bypassed
SLB Decision
Multiple Control Multiple Control
PortChannels PortChannels
FWSM1 FWSM2 FWSM1 FWSM2
Internal DMZs Internal DMZs
VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17 VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17
VLAN 19 VLAN 19 VLAN 19 VLAN 19
Web VLAN Web VLAN
App VLAN App VLAN
DB VLAN DB VLAN
App Server Web Server DB Server App Server Web Server DB Server
BRKDCT-2703
Load Balanced Session Flow Web Server to App Server Session Flow
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50
VLAN 2 VLAN 2
Firewall Makes
Security
VLAN 3 VLAN 3
Cat6513-Agg-1 Decisions
Data Cat6513-Agg-2
PortChannel
ACE-1 ACE-2
ACE Is
Bypassed
Multiple Control
PortChannels
FWSM1 FWSM2
Internal DMZs
VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17
VLAN 19 VLAN 19
Web VLAN
App VLAN
DB VLAN
Cat6509-Access-1 Cat6509-Access-2
Real-World
Deployments
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54
Goal
Ensure high security within the data center
All tiers (Web/App/DB) are untrusted
Sessions between servers should be locked down to particular
ports
Ensure non load balanced traffic bypass the content switch
Solution
Transparent virtual contexts used on the FWSM to seamlessly
integrate a firewall perimeter on each of data center VLANs
Content switch deployed in a one-armed fashion
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55
Real-World Deployments
Firewall All DMZs and Networks
Secure Internal
Segment
CSS11506_1 CSS11506_2
VLAN 41 10.32.222.0/30
Design Approach
Data Layer 2 firewall used with multiple contexts
PortChannel
Cat6509-Core-1 Cat6509-Core-2
Firewall perimeter at outside, internal and each
MSFC MSFC DMZ
Agg MSFC is a secure internal segment with
VLAN 200
protection from each connected network
LAN FailOver
VLAN 6 VLAN 5 PortChannel Secure internal segment is protected from
VLAN 14 VLAN 3 malicious activity from each DC network/VLAN
VLAN 201
Access switches setup in Layer 2 approach
StateLink
PortChannel
CSS11506 is used in a one-armed fashion
FWSM1 FWSM2
Since it is not supported on transparent FW,
VLAN 103 10.73.222.0/27 NAT is performed on the MSFC
Web Server 1
Web Server 2
VLAN 105 10.73.222.32/28
App Server 1
Content Switching Details
App Server 2 Servers default gateway is the HSRP group IP
VLAN 114 10.73.220.0/23 address on agg switches
CSS’s default gateway is the HSRP group
Internal Router Inside address on the MSFC on VLAN 40
Core
VLAN 106 10.10.137.0/24 Since MSFC is directly connected to the ACE,
RHI is possible
Edge Router 1 Edge Router 2 All non-load balanced traffic to/from servers will
bypass the CSS11506
Internet
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57
Goal
Firewall perimeter needed to protect against the outside world
which includes internet clients and partners
Secure VPN is needed for access into the data center
All tiers are trusted as extensive application hardening is deployed
Session monitoring is essential
Solution
Routed virtual contexts used on the FWSM to create multiple
perimeters on the core switches; this ensures protection from
internet clients and from partners
Content switching module is deployed in a one-armed fashion
Layer 3 routing is used between the tiers
Network and host based IPS are deployed to monitor sessions
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59
Recommended Reading
Solutions Reference
NetworkDesign (SRND)
www.cisco.com/go/srnd
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61
BRKDCT-2703
14583_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62