|
Sw connection from fw to farm diagram |
Hi all, I had a question regarding a good design for a server farm. I have some juniper firewalls that I want to place before the TOR switches. These are juniper isg1000 currently only fitted with 1gb nic. There are 2 fw for redundancy.My TOR switches are all 10gb interfaces (about 10 interfaces) and i have 2 switches. SO i decided to stack them so that I can do away with SPT. This is the first time trying to work on my server farm. So the problem I have is this. What considerations should I take when connecting my TOR sw to the firewalls? If my servers and tor switches are all 10gb connections and my firewalls with only 1gb, do I have to upgrade my firewalls to 10gb int as to not cause a bottle neck? Ive attached a picture for better clarification. Is there a better design you would recommend in this regards? Thank you |
|
|
|
meta
Member
2013-Feb-28 8:41 am
Generally there are 3 deployment topologies today for inline service appliances. I attached 3 pictures trying to demonstrate them, there are some decision points around the trade offs involved in either of them, their capabilities, what fits best for your need (one vlan behind the firewall, many vlans behind the firewall, operational support of multiple routing tables, etc.) |
|
|
to xdxml12
I'm unsure of what your bandwidth and throughput requirements are. One thing I know that ScreenOS-based appliances are being phased out. Another consideration is that according to the following Juniper specification » www.juniper.net/us/en/lo ··· 6-en.pdfyour ISG1000 throughput is not 10Gbps capable. So perhaps upgrading the firewall into at least SRX 650 model is in order. Here is the SRX specification to review. » www.juniper.net/us/en/lo ··· 1-en.pdf |
|
tubbynetreminds me of the danse russe MVM join:2008-01-16 Gilbert, AZ |
to xdxml12
said by xdxml12:Is there a better design you would recommend in this regards? if this server farm is busy -- your best bet would not to put stateful firewalls in front of it. q. |
|
|
to aryoba
Thank you for the clarification. I might not be understanding something. From the first pdf it says I can have an option to install 2 10gb lan int cards. If that is the case, won't that give me 10gb throughput? Or Am i missing something. |
|
xdxml12 |
to meta
Ty. I am trying to understand the pictures. So it seems the best way is to have the firewalls attached to the core, but the server farms in a separate attachment? If that is the case where would you recommend me to do my routing? On the fw or the core switch? |
|
xdxml12 |
to tubbynet
Thanks, it will be VERY busy. Where would you recommend putting these fw? Is there a proper document I can read that will explain to me these considerations? |
|
DarkLogixTexan and Proud Premium Member join:2008-10-23 Baytown, TX |
to xdxml12
said by xdxml12:Thank you for the clarification. I might not be understanding something. From the first pdf it says I can have an option to install 2 10gb lan int cards. If that is the case, won't that give me 10gb throughput? Or Am i missing something. Just having the interface doesn't mean the device can do it at line rate. Think of this I could put 2x gig cards in an old sub GHz system but it doesn't mean it'll be able to route it. |
|
tubbynetreminds me of the danse russe MVM join:2008-01-16 Gilbert, AZ |
to xdxml12
said by xdxml12:Thanks, it will be VERY busy. Where would you recommend putting these fw? Is there a proper document I can read that will explain to me these considerations? its pretty easy to rationalize. if these servers are going to be busy -- especially small tcp oriented transactions that will be from a varied group of users -- the firewall's state table will become quickly overwhelmed. thats why there is a hard limit on most firewalls for concurrent connections, connections per second, etc. it makes for a very easy ddos vector. if you're going to need a layer of security, keep the filtering down to stateless acls -- and move any firewalls to an application-oriented firewall on the box itself to permit certain connections/sockets/etc. q. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
to xdxml12
What is this "SPT" you mention? STP? (spanning tree protocol) If so, then you do not want to shut that off anywhere, unless you are 100% certain, under oath, that there will NEVER be a packet loop in your network (physical and virtual.)
[For the record, I deal with people putting the inside and outside interfaces of virtual firewalls in the same network regularly. It usually starts with "esx server XXX is down".] |
|
|
to xdxml12
said by xdxml12:If my servers and tor switches are all 10gb connections and my firewalls with only 1gb, do I have to upgrade my firewalls to 10gb int as to not cause a bottle neck? Generally speaking, your network's going to be as fast as your slowest link. If you're expecting 10GbE of traffic, get gear that can move 10GbE. Two other considerations you may want to keep in mind, a) are the servers going to be single or dual-homed? If the latter, how redundant does your infrastructure need to be? b) is there going to be any routing going on between the servers (OSPF, etc) or not? My 00000010bits Regards |
|
|
to cramer
said by cramer:For the record, I deal with people putting the inside and outside interfaces of virtual firewalls in the same network regularly. It usually starts with "esx server XXX is down". Who was the architect? Hopefully you won't get blamed for someone else's mistake |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
cramer
Premium Member
2013-Mar-1 3:35 pm
The defaults for the v-fw? A russian who was repeatedly told not to make that the default deployment model. They don't listen to internal devs -- even when I'm "the network engineer" -- or customers who've fallen off the same cliff.
(Granted, VMware's preferred setup does not have the service console and vmk port-groups on the same interface as VM networks. And vcenter complains if you don't have "management redundancy". You'll still have a nic with many VMs blocked, but you won't have to touch the server to fix it.) |
|
tubbynetreminds me of the danse russe MVM join:2008-01-16 Gilbert, AZ |
to cramer
said by cramer:What is this "SPT" you mention? STP? (spanning tree protocol) If so, then you do not want to shut that off anywhere, unless you are 100% certain, under oath, that there will NEVER be a packet loop in your network (physical and virtual.) the only thing i can think of is some *awesome* cisco technical documents that state that the network doesn't rely on stp anymore when you run some sort of mcec -- be it stacking, vss, or vpc. either way -- they walk a fine technical line when they state this. its true -- the network doesn't rely on stp -- since the forwarding interface is the port-channel, and not separate physical ints -- but you still keep it alive for when things go pear. in fact -- in most every document cisco has *ever* written about vpc is the fact that you never turn off stp in the domain -- even when running a mcec-capable device. posts from the platform tme's to c-nsp will also confirm this. q. |
|
|
Interesting read : ) |
|