Upgrade server farm advice 2

[crazyitguy]

We would like to upgrade our network that supports our server farm(about 25 servers made). Mostly web and SQL databases.

Currently we have 2 2811 routers running BGP. Each is connected to a different ISP; one via T1, the other via FastEthernet 100Mb.

The routers are then connected to an unmanaged switch(100Mb). The unmanaged switch is then connected to a Checkpoint firewall.

The firewall is then connected to a second unmanaged switch. The servers are connected to this switch.

As you can see there is no redundency besides the edge routers.

Most importantly we would like to add redundency, increase the speeds, use vlans to seperate the servers.

The 6500 route is a little to expensive. We were thinking a pair of 3760 switches that will connect directly to the firewalls. Something like this:

Advice? Suggestions?

Thanks

 

[globalchicken]

First, how are you doing redundancy between your 2 border routers, HSRP?
Second, what is your idea on adding vlans to segment your server farm? What do you want your final outcome to be?

Do you want all servers to have multiple NICS to communciate with both switches?

How are you going to communicate with your routers and firewalls from your 3760s via L3?

 

[crazyitguy]

1) Currently HSRP

2) For security reasons. If one server is compromised the adversary will be less likely to compromise another.

3)Not necessarily all servers; 50% of the servers will be dual-homed.

4) I am unsure of the technical answer of this question. please expand. The 3760s will be routing the VLANs. The firewalls will not.

Thanks

 

[crazyitguy]

I am not attached to the example diagram. It can be completely different.

 

[globalchicken]

OK good you are using HSRP as your redundancy for your edge routers.

To address your security concerns, why are you not letting your firewalls take care of those issues? Are you talking about putting each server in its own VLAN?

Here is an alternate topology

Will your checkpoints support 2 inside interfaces? If they do, the only single point of failure will then be your Layer 2 switch that connects your 2 routers and firewalls together...

 

[crazyitguy]

Thank you for your valuble input...

1)I could let the firewall take care of the security issues but I am afraid of overloading it. There is quite a bit of communication between the servers. Is this logic wrong?

2)I beleive it does allow for 2 inside interfaces.

3)Just to be sure, is your diagram based on the layer 3 switches taking care of the VLAN routing/securing or is that handled by the firewall?

4) Does your logic take into account that this is an Internet server farm? The routers do not know what is going on inside of the firewalls. The routers and external firewall interfaces are in the public address space.

5)What models would you recommend for the Layer 3 switches?

6)Should I be using layer 2 switches or should I just connect the servers directly to the layer 3 switches? If so what model switches?

7)What are the other options, upgrade to the 6500 data center model with FWSMs?

8)Why do I need a switch between the firewalls and routers? Can I just have a 1-1 connection. If either the firewall or router fail one the left side, both the router and firewall on the right side will pick up.

Thanks again.

 

[globalchicken]

What type of checkpoint firewall series do you have?

The switches would take care of the vlan routing, but keep in mind there will have to be a route to reach your edge routers for outside connectivity or point everything to your firewall for outside access.

The purpose of your firewall is to filter traffic, let it!

How many public addresses do you have for your firewall and routers? Have you considered using a NAT solution with your outside interfaces going toward your ISP and your inside interfaces going to your firewalls?

Are all of your web servers on a private addressing scheme?


Yes I would recommend a L3 switch because I think that ease of management, more security options that you could use, as well as the ability to use different vlans without the use of a router. If you wanted to use multiple vlans you would need either a router or L3 switch for intervlan communication. We use the 4500 and 6500 series at my work and they are fantastic. With your setup I think that 3750s would work fine. You do not need the advanced modules such as the FWSM because you have 2 checkpoints that will be filtering traffic. If those 2 firewalls are set up properly, then the need for another firewall is not necessary.

If you have a 1-1 connection then how would your checkpoints exchange their hearbeats or HSRP exchange their keepalives?

Here is a link on the different models in the 3750 series

http://www.cisco.com/en/US/products/hw/switches/ps5528/index.html

 

[crazyitguy]

I think we have both been talking about the 3560 series for the Layer 3 device (which you properly linked to), correct?

Checkpoint NG. We are going to upgrade to NGX.

We have a class C address space. The firewall is NATing to the internal servers which are all on private ip addresses.

I was thinking that there will still be a direct connection between the 2 routers to exchange HSRP and BGP info.

If I remember my Checkpoint manual, I beleive the heartbeat can travel over a direct connection between the 2 firewalls(the dashed line). No data flows over this connection.

THis is what I was thinking:

Do I need layer-2 switches between the Layer-3 switches and the servers?

Thanks

 

[globalchicken]

WEll i was thinking along the lines that if you dont use the L2 switch between the firewall and the external routers, you will be burning an interface on both routers and both firewalls.

I will have to look into that checkpoint series as i dont have experience with that model.

No will not need a layer 2 switch between the servers and L3 switches. You can have L2 switchports on the L3 switch as well.

What ideas do you have with the configuration of your multihomed servers?

 

[crazyitguy]

1)I have not thought about my configurations of the multihomed servers. What were you thinking?

2)Our firewall also servs as P2P VPN between the server farm and our office(for management purpouses, not application acccess). Currently we are using static routing. Would it be wise to use dynmic routing considering that the routing protocol would be going over VPN between the L3 switches at the server farm and the internal routers at our office?

3)Quick tip if you don't mind. Lets say I have this VLAN:

VLAN100
subnet 10.0.0.0/29
gateway: 10.0.0.1
HostA:10.0.0.2
HostB:10.0.0.3
BCast: 10.0.0.7

HostA is connected to L3SwitchA, port1 and HostB is connected to L3SwitchB, port1. Where would VLAN100 be defined? Where would the gateway ip address of VLAN100 be set?

Thanks

 

[globalchicken]

I was curious to hear what you were thinking as I dont have much experience with servers and the access layer. My experience is more with the distribution and core L3 switching /routing/security/VOIP network engineer.

So your firewall is also acting as your P2P VPN between main office and server farm using static routing? If that is the case I would suggest you try and keep your ip addressing more hierarchical so as to make your static routing less complicated than it has to be. Example: If your server farm is 10.1.2.0 10.1.3.0 ect ect, then you could have one static route at the main office pointing to 10.1.0.0 or subnet out 10.1.2.0 Understand? You just have to make sure that your routers at the main office know of the networks behind your firewall.

Quick tip, I dont mind at all because thats my forte! LOL...

On switch A and B you would define Interface vlan 100 with an IP address in the same subnet. Then I would ensure that the 2 switches are trunked together and configure HSRP for that vlan between the 2 switches. On port 1 of both Switch
A and B, I would ensure that those are both L2 switchports and they are members of vlan 100. The gateway for the host pcs would be the standby (HSRP) address that is configured between the 2 switches. For routing to take place, you would ensure ip routing is enabled and then configure the appropriate routes to take to your final destination.

With L3 switches, you can have multiple vlan interfaces making this different than a L2 switch that only allows 1 vlan interface active at a time. With a L3 switch you dont need a router for connectivity between subnets. On L3 switches you can have static or dynmamic routing take place as you see fit. I was suggesting HSRP between the 2 L3 switches that way your default gateway of your hosts would be the ip of the standby address. aka your virtual IP.

Hope this is of some help to you!

 

[globalchicken]

quick link on intervlan routing /L3 switching

http://www.zinkwazi.com/unix/notes/cisco_vlan_setup.html

 

[crazyitguy]

I understand.... Thanks.

Does our public class C address space need to be subnetted for each of these connections:

Router1 - Router2

Router1 - Firewall1

Router2 - Firewall2

If so, how do I use HSRP between 2 ip addresses that are in different subnets.

 

[UnaBomber]

Would it be wise to use dynmic routing considering that the routing protocol would be going over VPN between the L3 switches at the server farm and the internal routers at our office?

Watch out there, IPSEC doesnt allow multicasts, so either you design around that, and use a dynamic routing protocol, or you stick to statics.

UnaBomber
ccnp mcse2k

 

[globalchicken]

Thats why i suggested the L2 switch with all 4 devices plugged into it with all devices in the same subnet. This will give you one HSRP standby address that is going to both routers...

UnaBomber is correct as IPSEC does not allow multicasts, but you can get around that by specifying a neighbor which unicasts updates. I still recommend static routing though..

 

[crazyitguy]

1)I can't imagine having a L2 switch being a popular option as it represents a single point of faliure and another device to buy. Can this not work without it?

2)I was thinking what you said about having the firewalls route/secure the vlans and use L2 switchs to connect the firewalls to the servers. Is this really a viable option?

3) My 2 sets of options are:
-PIX/ASA vs Checkpoint
-Firewall vs Layer 3 device for VLAN routing/Securing.

I am having a hard time trying to decide what options to choose as it is to close to call. Here is a diargam matrix of the two sets of options(please check if connections look correct):

Thanks.

 

[UnaBomber]

why are you running hsrp on your edge routers? If one of your ISP's goes down the Routes will purge and you will dynamically fail over to the other router. Unless you are tracking the outside interface, which wont tell you if 1 of the ISP's gets a blackhole. Unless you have both your Firewalls connected to both the routers (which you dont have in your physical diagram).

I would go for config 2 to be honest, because I prefer Cisco ASA over Checkpoint for this application, and with a multilayer router you have more options for securing your server farm/s

UnaBomber
ccnp mcse2k

 

[crazyitguy]

That makes sense. I assumed HSRP because that is what we are running now; we have a switch that connects our 2 routers with our 1 firewall. Our firewall has 2 choices thus needing that virtual IP address that HSRP provided. In these configs each firewall only has one choice.

Would you concur that this setup will work without switch(es) between the edge routers and firewalls?

Can you elaborate on this statement: "..and with a multilayer router you have more options for securing your server farm/s"? How does a layer-3 switch have more options? Wouldn't a full fledged firewall give me more options/protection than a simple Layer-3 switch ACL(DOS attacks, spoofs, etc)?

 

[UnaBomber]

This is what it looks like logically, right?



If so, then it will work as long as your routing is ok, apart from the hsrp as I said, its redundant. If Router1 goes down and router2 becomes the virtual primary router, how will firewall1 send traffic to that router, if the routers are on different subnets?

I would slot two layer2 switches (catalysts) in between the firewalls and routers...

Like so:



Hope that is clear


UnaBomber
ccnp mcse2k

 

[UnaBomber]

hmmmm let me try that again:

First diagram:

Second diagram:

UnaBomber
ccnp mcse2k