dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
863
xdxml12
join:2012-10-26

xdxml12

Member

Sw connection from fw to farm

Click for full size
diagram
Hi all,

I had a question regarding a good design for a server farm. I have some juniper firewalls that I want to place before the TOR switches. These are juniper isg1000 currently only fitted with 1gb nic. There are 2 fw for redundancy.My TOR switches are all 10gb interfaces (about 10 interfaces) and i have 2 switches. SO i decided to stack them so that I can do away with SPT. This is the first time trying to work on my server farm. So the problem I have is this. What considerations should I take when connecting my TOR sw to the firewalls? If my servers and tor switches are all 10gb connections and my firewalls with only 1gb, do I have to upgrade my firewalls to 10gb int as to not cause a bottle neck? Ive attached a picture for better clarification.

Is there a better design you would recommend in this regards?

Thank you
meta
join:2004-12-27
00000

meta

Member

Click for full size
Click for full size
Click for full size
Generally there are 3 deployment topologies today for inline service appliances.

I attached 3 pictures trying to demonstrate them, there are some decision points around the trade offs involved in either of them, their capabilities, what fits best for your need (one vlan behind the firewall, many vlans behind the firewall, operational support of multiple routing tables, etc.)
aryoba
MVM
join:2002-08-22

aryoba to xdxml12

MVM

to xdxml12
I'm unsure of what your bandwidth and throughput requirements are. One thing I know that ScreenOS-based appliances are being phased out. Another consideration is that according to the following Juniper specification
»www.juniper.net/us/en/lo ··· 6-en.pdf

your ISG1000 throughput is not 10Gbps capable. So perhaps upgrading the firewall into at least SRX 650 model is in order. Here is the SRX specification to review.
»www.juniper.net/us/en/lo ··· 1-en.pdf

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet to xdxml12

MVM

to xdxml12
said by xdxml12:

Is there a better design you would recommend in this regards?

if this server farm is busy -- your best bet would not to put stateful firewalls in front of it.

q.
xdxml12
join:2012-10-26

xdxml12 to aryoba

Member

to aryoba
Thank you for the clarification. I might not be understanding something. From the first pdf it says I can have an option to install 2 10gb lan int cards. If that is the case, won't that give me 10gb throughput? Or Am i missing something.
xdxml12

xdxml12 to meta

Member

to meta
Ty. I am trying to understand the pictures. So it seems the best way is to have the firewalls attached to the core, but the server farms in a separate attachment? If that is the case where would you recommend me to do my routing? On the fw or the core switch?
xdxml12

xdxml12 to tubbynet

Member

to tubbynet
Thanks, it will be VERY busy. Where would you recommend putting these fw? Is there a proper document I can read that will explain to me these considerations?

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

DarkLogix to xdxml12

Premium Member

to xdxml12
said by xdxml12:

Thank you for the clarification. I might not be understanding something. From the first pdf it says I can have an option to install 2 10gb lan int cards. If that is the case, won't that give me 10gb throughput? Or Am i missing something.

Just having the interface doesn't mean the device can do it at line rate.

Think of this I could put 2x gig cards in an old sub GHz system but it doesn't mean it'll be able to route it.

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet to xdxml12

MVM

to xdxml12
said by xdxml12:

Thanks, it will be VERY busy. Where would you recommend putting these fw? Is there a proper document I can read that will explain to me these considerations?

its pretty easy to rationalize. if these servers are going to be busy -- especially small tcp oriented transactions that will be from a varied group of users -- the firewall's state table will become quickly overwhelmed. thats why there is a hard limit on most firewalls for concurrent connections, connections per second, etc. it makes for a very easy ddos vector.
if you're going to need a layer of security, keep the filtering down to stateless acls -- and move any firewalls to an application-oriented firewall on the box itself to permit certain connections/sockets/etc.

q.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to xdxml12

Premium Member

to xdxml12
What is this "SPT" you mention? STP? (spanning tree protocol) If so, then you do not want to shut that off anywhere, unless you are 100% certain, under oath, that there will NEVER be a packet loop in your network (physical and virtual.)

[For the record, I deal with people putting the inside and outside interfaces of virtual firewalls in the same network regularly. It usually starts with "esx server XXX is down".]
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to xdxml12

MVM

to xdxml12
said by xdxml12:

If my servers and tor switches are all 10gb connections and my firewalls with only 1gb, do I have to upgrade my firewalls to 10gb int as to not cause a bottle neck?

Generally speaking, your network's going to be as fast as your slowest link. If you're expecting 10GbE of traffic, get
gear that can move 10GbE.

Two other considerations you may want to keep in mind, a) are the servers going to be single or dual-homed? If the
latter, how redundant does your infrastructure need to be? b) is there going to be any routing going on between
the servers (OSPF, etc) or not?

My 00000010bits

Regards
aryoba
MVM
join:2002-08-22

aryoba to cramer

MVM

to cramer
said by cramer:

For the record, I deal with people putting the inside and outside interfaces of virtual firewalls in the same network regularly. It usually starts with "esx server XXX is down".

Who was the architect?

Hopefully you won't get blamed for someone else's mistake
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer

Premium Member

The defaults for the v-fw? A russian who was repeatedly told not to make that the default deployment model. They don't listen to internal devs -- even when I'm "the network engineer" -- or customers who've fallen off the same cliff.

(Granted, VMware's preferred setup does not have the service console and vmk port-groups on the same interface as VM networks. And vcenter complains if you don't have "management redundancy". You'll still have a nic with many VMs blocked, but you won't have to touch the server to fix it.)

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet to cramer

MVM

to cramer
said by cramer:

What is this "SPT" you mention? STP? (spanning tree protocol) If so, then you do not want to shut that off anywhere, unless you are 100% certain, under oath, that there will NEVER be a packet loop in your network (physical and virtual.)

the only thing i can think of is some *awesome* cisco technical documents that state that the network doesn't rely on stp anymore when you run some sort of mcec -- be it stacking, vss, or vpc.
either way -- they walk a fine technical line when they state this. its true -- the network doesn't rely on stp -- since the forwarding interface is the port-channel, and not separate physical ints -- but you still keep it alive for when things go pear.
in fact -- in most every document cisco has *ever* written about vpc is the fact that you never turn off stp in the domain -- even when running a mcec-capable device. posts from the platform tme's to c-nsp will also confirm this.

q.
xdxml12
join:2012-10-26

xdxml12

Member

Interesting read : )