Implementing Data Center Services (Interoperability, Design and Deployment) BRKDCT , Cisco Systems, Inc. All rights reserved.

Transcription

1 Implementing Data Center Services (Interoperability, Design and Deployment) 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2.scr 1

2 Agenda Data Centers Components Server Load Balancing (Content Switching) SSL Offload Security (Firewall) Integrated Data Center Services Design Options Real World Deployments 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3 Data Center Components 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4.scr 2

3 Acronyms ACE Application Control Engine BGP Border Gateway Protocol Cat4000 Cisco Catalyst Cat4000 Cat6500 Cisco Catalyst 6500 CE Cisco Content Engine CSA Cisco Security Agent (Host-based Intrusion Prevention) CSM Cisco Content Switching Service Module on Cat6500 CSS Cisco Content Services Switch (CSS11000 and CSS11500 family) FWSM Cisco Firewall Service Module on Cat6500 HSRP Hot Standby Routing Protocol GSS Global Site Selector IDSM Cisco Intrusion Detection Service Module on Cat6500 LMS Cisco Works LAN Management Solution MAC Media Control MSFC Multilayer Switching Feature Card NAM Cisco Network Analysis Service Module on Cat6500 OSPF Open Shortest Path First PBR Policy Based Routing SLB Server Load Balancing SSL Secure Socket Layer SSLM Cisco SSL Offload Service Module on Cat6500 VMS Cisco Works VPN/Security Management Solution VPN- SM/SPA Cisco Virtual Private Network Service Module on Cat Cisco Systems, Inc. All rights reserved. Cisco Public 5 Data Center Residents Presentation Servers Business Logic Servers Also known as middleware custom applications DB Servers Data Web front end servers that provides the interface to the clients, e.g., Apache, IIS, etc. Oracle, Sybase, etc. NAS, SAN 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6.scr 3

4 Data Center Elements Application Solution Linux/HP, Solaris/SunFire, WebLogic, J2EE Custom App, Etc. Database Solution Linux/HP, Solaris/ SunFire, Oracle 10G RAC, Etc. Storage Solution MDS Cisco Systems, Inc. All rights reserved. Cisco Public 7 Data Center Elements Network Infrastructure Solution Routers and Switches (Cisco GSRs, Catalyst 6500, Catalyst 4500, Nexus5000/7000) Layers 4 7 Services Solution ACE, CSM, SSLM, CSS, CE, GSS Application Solution Linux/HP, Solaris/SunFire, WebLogic, J2EE Custom App, Etc. Database Solution Linux/HP, Solaris/ SunFire, Oracle 10G RAC, Etc. Network Security Solution PIX, FWSM, IDSM, VPNSM, CSA Management and Instrumentation Solution Terminal Servers, NAM, Cisco Works LMS/VMS, HSE Storage Solution MDS Cisco Systems, Inc. All rights reserved. Cisco Public 8.scr 4

5 Data Center Elements Redundancy Network Infrastructure Solution Routers and Switches (Cisco GSRs, Catalyst 6500, Catalyst 4500, Nexus5000/7000) HSRP, RPR, SSO, RPVST Layers 4 7 Services Solution ACE, CSM, SSLM, CSS, CE, GSS % Availability Stateful Redundancy Desired on CSM and FWSM Network Security Solution PIX, FWSM, IDSM, VPNSM, CSA Application Solution Linux/HP, Solaris/SunFire, WebLogic, J2EE Custom App, Etc. Database Solution Linux/HP, Solaris/ SunFire, Oracle 10G RAC, Etc. Management and Instrumentation Solution Terminal Servers, NAM, Cisco Works LMS/VMS, HSE Storage Solution MDS Cisco Systems, Inc. All rights reserved. Cisco Public 9 Data Center Elements Scalability Network Infrastructure Solution Application Solution Routers and Switches Linux/HP, (Cisco GSRs, Catalyst 6500, Catalyst 4500, Solaris/SunFire, Nexus5000/7000) WebLogic, J2EE custom Core, Aggregation/Distribution/ app, etc. Services, Model Layers 4 7 Services Solution Database Solution ACE, CSM, SSLM, CSS, CE, GSS Linux/HP, Solaris/ SunFire, Oracle 10G Flexible and Simple Growth Ability to Scale to Multiple Services RAC, etc. Capabilities Desired Modules (ACE, SSLM, etc.) Network Security Solution PIX, FWSM, IDSM, VPNSM, CSA Management and Instrumentation Solution Terminal Servers, NAM, Cisco Works LMS/VMS, HSE Storage Solution MDS Cisco Systems, Inc. All rights reserved. Cisco Public 10.scr 5

6 Data Center Elements Security Protection Against DoS Attacks and Worm Activity Network Infrastructure Solution Routers and Switches (Cisco GSRs, Catalyst 6500, Catalyst 4500, Nexus5000/7000) Layers 4 7 Services Solution ACE, CSM, SSLM, CSS, CE, GSS Protection of Infrastructure Devices from Unauthorized Network Security Solution PIX, FWSM, IDSM, VPNSM, CSA Application Solution Linux/HP, Solaris/SunFire, WebLogic, J2EE Custom App, Etc. Protection of Information/Data Database Solution Linux/HP, Solaris/ SunFire, Oracle 10G RAC, Etc. Management and Instrumentation Solution Terminal Servers, NAM, Cisco Works LMS/VMS, HSE Storage Solution MDS Cisco Systems, Inc. All rights reserved. Cisco Public 11 Typical Data Center Topology Internal Network Service Provider A Internet Service Provider B Edge Routers Core Switches Aggregation Switches Switches WEB Tier Application Tier Database Tier 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12.scr 6

7 Distributed Data Centers Data Center Services Server Load Balancing and App A App B Health Monitoring, Caches, SSL Offload, Firewall, and App A App B Intrusion Detection IP Network FCIP Link Production Data Center FC Storage Network FC Backup Data Center 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13 Server Load Balancing Please Visit BRKAPP-2002: Server Load balancing Design 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14.scr 7

8 Server Load Balancing Also known as content switching; one of the single most important infrastructure service in the data center Key purpose: Load distribution of Requests. The Requests could be from Internet, Intranet, or extranet Clients. Layers 3 to 7 content switching capabilities are available with extensive keepalives (server health checks) functionality Layer 4 or Layer 7 proxy can be used as a security perimeter Application Redundancy Load Distribution Application Health Checks Communication of Load to GSLB Device Content Switching Design Decisions Application protocol and ports (listener ports) End-to-end application flows Direct server access Server management Server initiated sessions Infrastructure design 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15 Content Switching Design Approaches Bridged Mode: Design Agg Core-1 MSFC1 Data Core-2 Agg-2 MSFC2 ACE 1 FT ACE 2 Standby ACE Client-Side VLAN /24 ACE Server-Side VLAN /24 Key Content Switching Design Options Bridged mode design Routed mode design with MSFC on client side Routed mode design with MSFC on server side One-armed design (1) Bridged Mode Design Considerations Servers default gateway is the HSRP group IP address on the MSFC Broadcast/multicast/route update traffic bridges through No extra configurations for: Direct access to servers Server initiated sessions RHI possible Load balancer inline of all traffic Easily Deployed in Existing Networks 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16.scr 8

9 Content Switching Design Approaches Bridged Mode: Configuration CSM module ContentSwitchingModule 4 vlan 10 client ip address gateway alias vlan 20 server ip address MSFC interface Vlan10 ip address standby 10 ip standby 10 priority 110 standby 10 preempt ACE interface vlan 10 bridge-group 10 access-group input anyone access-group output anyone no shutdown interface vlan 20 bridge-group 10 access-group input anyone access-group output anyone no shutdown interface bvi 10 ip address alias peer ip address no shutdown ip route Cisco Systems, Inc. All rights reserved. Cisco Public 17 Content Switching Design Approaches Bridged Mode: BPDU Forwarding ACE Configuration to Allow BPDUs access-list bpduallow ethertype permit bpdu interface vlan 10 bridge-group 10 access-group input bpduallow no shutdown interface vlan 20 bridge-group 10 access-group input bpduallow no shutdown 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18.scr 9

10 Content Switching Design Approaches Routed Mode: Design Core-1 Core-2 Core-1 Core-2 Agg-1 Data MSFC1 Agg-2 MSFC2 Agg-1 Data Agg-2 10 ACE 1 ACE 2 Standby 20 FT ACE 1 30 ACE 2 Standby MSFC1 FT MSFC2 ACE Client-Side VLAN /24 ACE Server-Side VLAN /24 ACE Server-Side VLAN /24 ACE Client-Side VLAN /24 ACE Server-Side VLAN /24 Server VLAN /24 Server VLAN /24 (2A) Routed Mode Design with MSFC on Client Side Servers default gateway is the alias IP on the CSM/ACE Extra configurations needed for: Direct access to servers Non-load balanced server initiated sessions CSM/ACE s default gateway is the HSRP group IP address on the MSFC RHI possible Load balancer inline of all traffic (2B) Routed Mode Design with MSFC on Server Side Servers default gateway is the HSRP group IP address on the MSFC Extra configurations needed for (simpler the option 2a): Direct access to servers Non-load balanced server initiated sessions ACE/CSM s default gateway is the core router RHI not possible Server to server communication bypasses the load balancer 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19 Content Switching Design Approaches Routed Mode: Design Core-1 Core-2 Agg-1 Agg-2 MSFC1 MSFC2 Data (2C) Routed Mode Design with VRF-Lite ACE 1 VRF-Lite Server Instance FT ACE 2 Standby VRF-Lite Server Instance Servers default gateway is the HSRP group IP address on VLANs within the VRF-Lite Instance (SVIs) Extra configurations needed for (simpler the option 2a): Direct access to servers Non-load balanced server initiated sessions ACE/CSM s default gateway is Global MSFCs HSRP IP address RHI is Possible Server to server communication bypasses the load balancer 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20.scr 10

11 Content Switching Design Approaches Routed Mode: Configuration CSM module ContentSwitchingModule 4 vlan 10 client ip address gateway alias vlan 20 server ip address alias vlan 30 server ip address alias MSFC interface Vlan10 ip address standby 10 ip standby 10 priority 110 standby 10 preempt ACE interface vlan 10 ip address alias peer ip address no shutdown interface vlan 20 ip address alias peer ip address no shutdown interface vlan 30 ip address alias peer ip address no shutdown ip route Cisco Systems, Inc. All rights reserved. Cisco Public 21 Content Switching Design Approaches One-Armed Mode: Design Core-1 Core-2 Agg-1 Agg-2 Data 10 MSFC1 MSFC2 ACE FT LB Server-Side VLAN /24 Server VLAN /24 Server VLAN /24 ACE 2 Standby (3) One-Armed Design Considerations Servers default gateway is the HSRP group IP address on the MSFC No extra configurations for: Direct access to servers Server initiated sessions RHI possible CSM/ACE inline for only server load balanced traffic Only Policy based routing or source NAT can be used for server return traffic redirection to the load balancer 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22.scr 11

12 Content Switching Design Approaches One-Armed Mode: PBR Configuration MSFC interface Vlan10 ip address MSFC standby 10 ip standby 10 priority 110 interface Vlan20 standby 10 preempt ip address ip policy route-map FromServersToSLB standby 20 ip standby 20 priority 110 standby 20 preempt access-list 121 permit tcp any eq telnet any access-list 121 permit tcp any eq www any access-list 121 permit tcp any eq 443 any access-list 121 deny ip any any route-map FromServersToSLB permit 10 match ip address 121 set ip next-hop CSM - Asymmetric Routing module ContentSwitchingModule 4 variable ROUTE_UNKNOWN_FLOW_PKTS 2 ACE - Asymmetric Routing interface vlan 10 ip address alias peer ip address no normalization access-group input anyone access-group output anyone no shutdown 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23 Content Switching Design Approaches One-Armed Mode: Source-NAT Configuration CSM module ContentSwitchingModule 4 natpool SRC_NAT netmask serverfarm SFARM_NAT nat server nat client SRC_NAT real inservice real inservice probe TCP ACE policy-map multi-match SLB-TELNET-POLICY class SLB-TELNET loadbalance vip inservice loadbalance policy TELNET-POLICY-TYPE loadbalance vip icmp-reply nat dynamic 1 vlan 10 interface vlan 10 ip address alias peer ip address no normalization access-group input anyone access-group output anyone nat-pool netmask pat no shutdown 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24.scr 12

13 Content Switching Design Approaches Virtual Context in ACE Core-1 Core-2 Core-1 Core-2 Agg-1 MSFC1 Data Agg-2 MSFC2 Agg-1 MSFC1 Data Agg-2 MSFC2 ACE1 ACE2 ACE1 ACE2 Control Transparent Virtual Contexts Control Transparent Virtual Contexts VC_A VLAN /24 VC_A VLAN /24 VC_B VLAN /24 VC_B VLAN /24 ACE to MSFC VLAN /24 ACE to MSFC VLAN /24 VC_2 VLAN /24 VC_1 VLAN /24 (4A) Bridged Context context VC_A allocate-interface vlan 2 allocate-interface vlan 20 member VC_A_RESRC context VC_B allocate-interface vlan 3 allocate-interface vlan 30 member VC_B_RESRC (4B) Routed Context context VC_A allocate-interface vlan 12 allocate-interface vlan 21 allocate-interface vlan 22 member VC_1_RESRC context VC_B allocate-interface vlan 13 allocate-interface vlan 31 member VC_2_RESRC 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25 Content Switching Design Approaches Virtual Context in ACE: Configuration resource-class VC_1 limit-resource all minimum maximum equal-to-min resource-class VC_2 limit-resource all minimum 0.00 maximum unlimited limit-resource conc-connections minimum maximum equal-to-min limit-resource sticky minimum maximum equal-to-min context VC_A description Context for initial client request allocate-interface vlan 5 allocate-interface vlan 10 member VC_1 context VC_B description Context for second tier of internal VIPs allocate-interface vlan 15 allocate-interface vlan 20 allocate-interface vlan 30 member VC_2 ft interface vlan 31 ip address peer ip address no shutdown ft peer 1 heartbeat interval 300 heartbeat count 10 ft-interface vlan 31 ft group 11 peer 1 priority 110 peer priority 105 associate-context VC_A inservice ft group 22 peer 1 priority 105 peer priority 110 associate-context VC_B inservice 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26.scr 13

14 Content Switching Designs Summary Default Gateway of Servers Direct to Servers Servers Originated Connections Multicast Support Layer 2 Loops (1) Bridge Mode HSRP IP IP on on MSFC No Extra extra Configuration configuration Needed needed No Extra extra Configuration configuration Needed needed Supported, Supported, Bridges bridges Through through Possible If if Misconfigured misconfigured (2A) Routed Mode MSFC on Client Side Alias IP on CSM Extra Configuration configuration Needed needed Extra Configuration configuration May may Be be Needed needed Not Supported supported (2B) Routed Mode MSFC on Server Side HSRP IP on MSFC Extra Configuration configuration Needed, needed, may May Bypass bypass CSM Extra Configuration configuration may May be needed, Be Needed, may bypass May Bypass CSM CSM Not Supported, supported, server Server to server to Server works Works (3) One-Armed HSRP IP on MSFC CSM Is is Bypassed bypassed CSM Is is Bypassed bypassed Supported as CSM Is is Bypassed bypassed Not Possible possible Not Possible possible Not Possible possible 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27 SSL Offload Please Visit BRKCDT-3703: SSL Offload for DC Backend Server Farm 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28.scr 14

15 Network-Based SSL Offload Agg-1 Core-1 FT Core-2 Agg-2 Data CSM 1 CSM 2 10 MSFC1 MSFC SSLM 1 SSLM 2 CSM Server-Side VLAN /24 Server VLAN /24 Server VLAN /24 SSLM VLAN /24 Key Motivations Offload SSLdecryption/ encryption from servers Redundancy Scalability Unified management of SSL certificates Layer 7 based load balancing and sticky possible for HTTPS SSL Offload Design In ACE (Application Control Engine) SSL Offload is built in on the module Simply add the SSLMs on a VLAN connected to the ACE SSLMs default gateway would be the alias IP on the ACE Backend SSL requires no design change 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29 SSL Services Module Configuration Tips: Admin VLAN and Data VLAN One VLAN on the SSL Module Has to Be Admin VLAN Make Sure That the Admin VLAN Has a Route to the CA, TFTP Server, Management Stations, Etc. The Admin VLAN Can Also Carry Data Traffic The Default Gateway of the Admin VLAN Is the Module Default Gateway Admin SSL SSL Data Admin and Data 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30.scr 15

16 Data Center Security 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31 Firewall Design Approaches Layer 2 Agg-1 Core-1 FWSM1 MSFC1 Data Control DMZ-1 VLAN /24 Core-2 FWSM2 Agg-2 MSFC2 Key Firewall Design Options Bridged mode design, also known as transparent or stealth firewall Routed mode design, also known as Layer 3 firewall Virtual firewall contexts for Layer 2 or Layer 3 mode (1) Layer 2 (Transparent) Firewall Design Considerations Servers default gateway is the HSRP group IP address on the MSFC Broadcast/multicast/route update traffic bridges through Bump on the wire; easy integration Currently two VLANs can be merged 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32.scr 16

17 Firewall Design Approaches Layer 3 Core-1 Core-2 Agg-1 MSFC1 Data Agg-2 MSFC2 FWSM1 Control FWSM2 (2) Layer 3 Firewall Design Considerations Servers default gateway is the IP address on the firewall Dynamic routing is supported FWSM to MSFC VLAN /24 DMZ-1 VLAN /24 DMZ-1 VLAN / Cisco Systems, Inc. All rights reserved. Cisco Public 33 Firewall Design Approaches Virtual Context It s the ability to segment a single physical firewall into multiple virtualized instances Multiple interfaces/ VLANs within Layer 3 virtual contexts are supported Multiple bridge pairs for Layer 2 virtual contexts are supported ON MSFC firewall multiple-vlan-interfaces firewall module 7 vlan-group 100 firewall vlan-group ,50-53 ON FIREWALL CAT1-FWSM-SYS# conf t CAT1-FWSM-SYS(config)# firewall? Usage: [no clear show ] firewall [transparent] FWSM(config)# FWSM(config)# mode? Usage: mode single multiple FWSM(config)# FWSM# 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34.scr 17

18 Firewall Design Approaches Virtual Context Core-1 Core-2 Core-1 Core-2 Agg-1 MSFC1 Data Agg-2 MSFC2 Agg-1 MSFC1 Data Agg-2 MSFC2 FWSM2 FWSM2 FWSM2 FWSM2 Control Transparent Virtual Contexts Control Transparent Virtual Contexts (3A) Transparent Context context FWA allocate-interface vlan2 allocate-interface vlan20 config-url disk:/fwa.cfg context FWB allocate-interface vlan3 allocate-interface vlan30 config-url disk:/fwb.cfg FWA VLAN /24 FWB VLAN /24 (3B) Routed Context context FW1 allocate-interface vlan12 allocate-interface vlan20 config-url disk:/fw1.cfg context FW2 allocate-interface vlan13 allocate-interface vlan30 config-url disk:/fw2.cfg FWSM to MSFC VLAN /24 FWSM to MSFC VLAN /24 DMZ-1 VLAN /24 DMZ-2 VLAN / Cisco Systems, Inc. All rights reserved. Cisco Public 35 Firewall Designs Summary (1) Bridge Mode Layer 2 (2) Routed Mode Layer 3 (3A) Virtual Context Layer 2 (3B) Virtual Context Layer 3 Default Gateway of Servers HSRP IP on MSFC Primary Alias IP IP on on CSM FW HSRP IP IP on on MSFC HSRP Primary IP IP on on MSFC FW Multicast Support Supported Supported Supported Supported Layer 2 Loops Possible If if Misconfigured misconfigured Not Possible possible Possible If if Misconfigured misconfigured Not Possible possible VLAN Usage Multiple VLANs Allowed allowed Multiple VLANs Allowed allowed Multiple VLANs Multiple VLANS per VC, Cannot per VC, cannot Share VLANs share VLANs Across VCs Multiple VLANs Multiple VLANS per VC, Can per VC, cannot Share VLANs share VLANs Across VCs 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36.scr 18

19 Firewall Services Module Configuration Tips for Getting Started FWSM Define the VLANs the FWSM Will Protect in Switch Configuration Mode C6509# config t C6509(config)#vlan 200 C6509(config)#vlan 201 C6509(config)#vlan 202 Create a Firewall Group for the FWSM to Manage C6509(config)#firewall vlan-group VLAN Group Identifier Attach Firewall Group to FWSM C6509(config)#firewall module 6 vlan-group 100 VLANs Defined in Previous Step Slot Where FWSM Installed in Chassis 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37 Firewall Services Module (Cont.) Configuration Tips for Getting Started FWSM Some Initial Configuration FWSM Configuration Statements FWSM# wr t Building configuration... : Saved : FWSM Version 3.1(1) <snip> interface Vlan200 nameif inside security-level 100 ip address <snip> icmp permit any inside <snip> http server enable http inside <snip> telnet inside Define VLAN Interfaces and Associate Security Levels Use This Statement for Each Interface That You Want to Respond to Pings Without It No Pings Will Be Answered If You Want to Use PDM to Configure the FWSM, Then You Need to Enable HTTP and Specify the IP Address of Each User Requiring If You Want to Use Telnet to the FWSM Through a FWSM Interface, Then You Need to Define a Telnet Statement for Each User Requiring 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38.scr 19

20 Integrated Data Center Design Options 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39 Data Center Services Design Options We understand what products and devices are available in the data center to provide the services of security, server load balancing, SSL offload etc. We understand design options of individual products Let s look at different ways of integrating these products Each design consists of three redundant layers core, aggregation, and access (1) FW on Core With ACE/CSM on Aggregation in Layer 3 (2) FW and ACE on Aggregation with ACE/CSM in Layer 2 and FW in Layer 3 (3) FW and ACE on Aggregation with ACE/CSM in One-Armed and FW in Layer 3 (4) FW and ACE on Aggregation with ACE/CSM in One-Armed and FW in Layer 2 Secure Internal Segment 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40.scr 20

21 Physical Topology 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41 Design (1): Firewall on Core; ACE/CSM on Aggregation in Layer 3 Mode Cat6509-Core-1 WAN Cat6509-Core-2 VLAN 2 VLAN 2 VLAN 3 Cat6513-Agg-1 Data Cat6513-Agg-2 VLAN 3 Security Details Layer 3 firewall used Firewall perimeter at the core Aggregation and access are considered trusted zones Security perimeter not possible between Web/App/DB tiers In the aggregation layer, some security using VLAN tags on the CSM is possible VLAN 16 ACE-1 VLAN 200 ACE-2 VLAN 17 Control VLAN 17 VLAN 18 VLAN 18 VLAN 19 VLAN 19 Cat SSL Termination on ACE Web VLAN App VLAN DB VLAN App Server Web Server DB Server Cat Content Switching Details ACE/CSM is used in routed design Servers default gateway is the ACE/CSM alias IP address Extra configurations needed for: Direct access to servers Non-load balanced server initiated sessions ACE/CSM s default gateway is the HSRP group IP on the MSFC Since MSFC is directly connected to the ACE/CSM, RHI is possible All to/from traffic, load balanced/ non-load balanced servers go through the CSM 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42.scr 21

22 Design (1): Firewall on Core; ACE/CSM on Aggregation in Layer 3 Mode Configuration Snapshots MSFC SVI module ContentSwitchingModule 3 vlan 16 client ip address gateway alias vlan 17 server ip address alias vlan 18 server ip address alias vlan 19 server ip address alias interface Vlan16 ip address standby 16 ip standby 16 priority 150 serverfarm ROUTE no nat server no nat client predictor forward vserver ROUTE virtual any serverfarm ROUTE inservice 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43 Design (1): Firewall on Core; ACE/CSM on Aggregation in Layer 3 Mode: Session Flows WAN WAN Cat6509-Core-1 Cat6509-Core-2 Cat6509-Core-1 Cat6509-Core-2 VLAN 2 VLAN 2 Firewall Makes Security VLAN 3 Cat6513-Agg-1 Decisions Data Cat6513-Agg-2 VLAN 3 VLAN 2 VLAN 2 Firewall Makes Security VLAN 3 Cat6513-Agg-1 Decisions Data Cat6513-Agg-2 VLAN 3 ACE Makes VLAN 200 ACE-1 ACE-2 SLB Control Decision VLAN 17 VLAN 17 VLAN 18 VLAN 18 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN ACE Routes VLAN 200 ACE-1 ACE-2 Control VLAN 17 VLAN 17 VLAN 18 VLAN 18 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN Cat Cat Cat Cat App Server Web Server DB Server Load Balanced Session Flow App Server Web Server DB Server Server Management Session Flow 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44.scr 22

23 Design (2): Firewall and ACE/CSM on Aggregation; Cat6509-Core-1 WAN Cat6509-Core-2 VLAN 2 VLAN 2 VLAN 3 Cat6513-Agg-1 Data Cat6513-Agg-2 VLAN 3 VLAN 16 FWSM1 VLAN 7 VLAN 8 VLAN 8 VLAN 7 VLAN 9 VLAN 9 ACE-1 Multiple Control s ACE-2 VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 Cat FW in Layer 3 and ACE/CSM in Layer 2 Mode SSL Termination on ACE Web VLAN App VLAN DB VLAN FWSM2 Cat Security Details Layer 3 firewall used with single contexts Firewall perimeter at the core Firewall perimeter is used in the aggregation between Web/App/DB tiers Content Switching Details ACE/CSM is used in bridged design with multiple bridged VLAN pairs Servers default gateway is the firewall primary IP address No extra configurations needed for: Direct access to servers Non-load balanced server initiated sessions ACE/CSM s default gateway is the firewall primary IP address Since MSFC is not directly connected to the ACE/CSM, RHI is not possible All to/from traffic, load balanced/ non-load balanced servers go through the ACE/CSM App Server Web Server DB Server 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45 Design (2): Firewall and ACE/CSM on Aggregation; FW in Layer 3 and ACE/CSM in Layer 2 Mode Configuration Snapshots module ContentSwitchingModule 3 vlan 7 client ip address gateway vlan 17 server ip address vlan 8 client ip address gateway vlan 18 server ip address MSFC SVI interface Vlan16 ip address standby 16 ip standby 16 priority 150 VLANS ON THE FIREWALL VLAN16 (towards the MSFC) Inside Server VLANs VLAN7 VLAN8 VLAN Cisco Systems, Inc. All rights reserved. Cisco Public 46.scr 23

24 Design (2): Firewall and ACE/CSM on Aggregation; FW in Layer 3 and ACE/CSM in Layer 2 Mode Session Flows WAN WAN Cat6509-Core-1 Cat6509-Core-2 Cat6509-Core-1 Cat6509-Core-2 VLAN 2 VLAN 2 Core Firewall Makes VLAN 3 Cat6513-Agg-1 Data VLAN 3 Security Cat6513-Agg-2 Decisions VLAN 2 VLAN 2 VLAN 3 Cat6513-Agg-1 Data VLAN 3 Cat6513-Agg-2 SSLM1 FWSM1 VLAN 11 Internal DMZs FWSM2 Perimeters VLAN 7 VLAN 8 VLAN 8 VLAN 7 VLAN 9 VLAN 9 ACE-1 Multiple Control ACE s Makes ACE-2 SLB Decision VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN FWSM1 VLAN 11 Internal DMZs FWSM2 Perimeters VLAN 7 VLAN 8 VLAN 8 VLAN 7 VLAN 9 VLAN 9 Multiple Control ACE-1 ACE s Bridges ACE-2 Traffic VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN Cat Cat Cat Cat App Server Web Server DB Server App Server Web Server DB Server Load Balanced Session Flow Web Server to App Server Session Flow 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47 Design (3): Firewall and ACE/CSM on Aggregation; FW in Layer 3 and ACE/CSM in One-Armed Mode Cat6509-Core-1 WAN Cat6509-Core-2 VLAN 2 VLAN 2 VLAN 3 Cat6513-Agg-1 Data VLAN 3 Cat6513-Agg-2 VLAN 16 FWSM1 ACE-1 Multiple Control s VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 Web VLAN VLAN 19 App VLAN DB VLAN Cat SSL Termination on ACE VLAN 15 ACE-2 FWSM2 Cat Security Details Layer 3 firewall used with single contexts Firewall perimeter at the core Firewall perimeter is used in the aggregation between Web/App/DB tiers Content Switching Details ACE/CSM is used in a one-armed fashion Servers default gateway is the firewall primary IP address No extra configurations needed for: Direct access to servers Non-load balanced server initiated sessions ACE/CSM s default gateway is the HSRP group address on the MSFC Since MSFC is directly connected to the ACE/CSM, RHI is possible All non-load balanced traffic to/from servers will bypass the ACE/CSM App Server Web Server DB Server 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48.scr 24

25 Design (3): Firewall and CSM on Aggregation; FW in Layer 3 and CSM in One-Armed Mode module ContentSwitchingModule 3 vlan 15 server ip address gateway alias MSFC SVI interface Vlan15 ip address standby 15 ip standby 15 priority 150 interface Vlan16 ip address standby 16 ip standby 16 priority 150 VLANS ON THE FIREWALL VLAN16 (towards the MSFC) DMZ VLANs VLAN17 VLAN18 VLAN Cisco Systems, Inc. All rights reserved. Cisco Public 49 Design (3): Firewall and CSM on Aggregation; FW in Layer 3 and CSM in One-Armed Mode: Session Flows (1 of 2) WAN WAN Cat6509-Core-1 Cat6509-Core-2 Cat6509-Core-1 Cat6509-Core-2 VLAN 2 VLAN 2 PBR/ Core Firewall SRC- Makes VLAN 3 VLAN 3 Cat6513-Agg-1 Security Data NAT Cat6513-Agg-2 Decisions ACE-1 ACE-2 ACE Makes FWSM1 SLB Decision Multiple Control s Internal DMZs FWSM2 VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN VLAN 2 VLAN 2 VLAN 3 VLAN 3 Cat6513-Agg-1 Data Cat6513-Agg-2 ACE-1 ACE-2 ACE Is Bypassed FWSM1 Multiple Control s Internal DMZs FWSM2 VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN Cat Cat Cat Cat App Server Web Server DB Server App Server Web Server DB Server Load Balanced Session Flow Web Server to App Server Session Flow 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50.scr 25

26 Design (3): Firewall and ACE/CSM on Aggregation; FW in Layer 3 and CSM in One-Armed Mode Session Flows (2 of 2) WAN Cat6509-Core-1 Cat6509-Core-2 VLAN 2 VLAN 2 Firewall Makes Security VLAN 3 VLAN 3 Cat6513-Agg-1 Decisions Data Cat6513-Agg-2 ACE-1 ACE-2 ACE Is FWSM1 Multiple Bypassed Control s Internal DMZs FWSM2 VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN Cat Cat App Server Web Server DB Server Server Management Session Flow 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51 Design (4): Firewall and ACE/CSM on Aggregation; Cat6509-Core-1 WAN Multiple Control s Cat6509-Core-2 VLAN 12 VLAN 12 Cat6513-Agg-1 Secure Internal Cat6513-Agg-2 Segment FWSM1 FW in Layer 2 and CSM in One-Armed Mode [Secure Internal Segment] Data VLAN 2 VLAN 11 VLAN 2 SSL Termination on ACE VLAN 7 VLAN 7 VLAN 8 VLAN 8 VLAN 9 VLAN 9 VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN Cat FWSM2 Cat Security Details Layer 2 firewall used with multiple contexts Firewall perimeter at outside, internal and each DMZ Agg MSFC is a secure internal segment with protection from each connected network Secure internal segment is protected from malicious activity from each DC network Content Switching Details ACE/CSM is used in a one-armed fashion Servers default gateway is the HSRP group IP address No extra configurations needed for: Direct access to servers Non-load balanced server initiated sessions ACE/CSM s default gateway is the HSRP group address on the MSFC Since MSFC is directly connected to the ACE/CSM, RHI is possible All non-load balanced traffic to/from servers will bypass the ACE/CSM App Server Web Server DB Server 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52.scr 26

27 Design (4): Firewall and ACE/CSM on Aggregation; FW in Layer 2 and CSM in One-Armed Mode [Secure Internal Segment] module ContentSwitchingModule 3 vlan 15 server ip address gateway alias vlan 11 server ip address alias FIREWALL CONTEXTS context DB allocate-interface vlan7 allocate-interface vlan17 config-url disk:/db.cfg context APP allocate-interface vlan8 allocate-interface vlan18 config-url disk:/app.cfg context WEB allocate-interface vlan9 allocate-interface vlan19 config-url disk:/web.cfg MSFC SVI interface Vlan15 Description VLAN Towards ACE ip address standby 15 ip standby 15 priority 150 interface Vlan7 ip address standby 17 ip standby 17 priority 150 interface Vlan8 ip address standby 18 ip standby 18 priority 150 interface Vlan9 ip address standby 19 ip standby 19 priority Cisco Systems, Inc. All rights reserved. Cisco Public 53 Real-World Deployments 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54.scr 27

28 Real-World Deployments Firewall All DMZs and Networks Goal Ensure high security within the data center All tiers (Web/App/DB) are untrusted Sessions between servers should be locked down to particular ports Ensure non load balanced traffic bypass the content switch Solution Transparent virtual contexts used on the FWSM to seamlessly integrate a firewall perimeter on each of data center VLANs Content switch deployed in a one-armed fashion 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55 Real-World Deployments Firewall All DMZs and Networks Cat6509-Core-1 MSFC VLAN 6 VLAN 14 FWSM1 CSS11506_1 VLAN 5 VLAN 3 Internal Router Secure Internal Segment LAN FailOver StateLink VLAN /24 VLAN /30 Data VLAN /27 Web Server 1 Web Server 2 VLAN /28 App Server 1 VLAN 200 VLAN 201 App Server 2 VLAN /23 Internet Inside Core CSS11506_2 Cat6509-Core-2 MSFC FWSM2 Edge Router 1 Edge Router 2 Design Approach Layer 2 firewall used with multiple contexts Firewall perimeter at outside, internal and each DMZ Agg MSFC is a secure internal segment with protection from each connected network Secure internal segment is protected from malicious activity from each DC network/vlan switches setup in Layer 2 approach CSS11506 is used in a one-armed fashion Since it is not supported on transparent FW, NAT is performed on the MSFC Content Switching Details Servers default gateway is the HSRP group IP address on agg switches CSS s default gateway is the HSRP group address on the MSFC on VLAN 40 Since MSFC is directly connected to the ACE, RHI is possible All non-load balanced traffic to/from servers will bypass the CSS Cisco Systems, Inc. All rights reserved. Cisco Public 56.scr 28

29 Real-World Deployments Firewall All DMZs and Networks context WEB allocate-interface vlan3 allocate-interface vlan103 config-url disk:/web.cfg context APP allocate-interface vlan5 allocate-interface vlan105 config-url disk:/app.cfg PBR for Production Web Apps access-list 121 permit tcp any eq www any access-list 121 permit tcp any eq 443 any access-list 121 deny ip any any route-map FromDMZWebSendToCSS permit 10 match ip address 121 set ip next-hop interface Vlan3 description DMZWeb ip policy route-map FromDMZWebSendToCSS MSFC SVI interface Vlan3 description DMZWeb ip address standby 3 ip standby 3 priority 150 ip nat inside interface Vlan6 description Outside ip address standby 6 ip standby 6 priority 150 ip nat outside interface Vlan40 description CSSVLAN ip address standby 40 ip standby 40 priority 150 ip nat inside 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57 Real-World Deployments (Nexus) Trust with Caution Goal Firewall perimeter needed to protect against the outside world which includes internet clients and partners Secure VPN is needed for access into the data center All tiers are trusted as extensive application hardening is deployed Session monitoring is essential Solution Routed virtual contexts used on the FWSM to create multiple perimeters on the core switches; this ensures protection from internet clients and from partners Content switching module is deployed in a one-armed fashion Layer 3 routing is used between the tiers Network and host based IPS are deployed to monitor sessions 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58.scr 29

30 Q and A 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59 Recommended Reading Solutions Reference NetworkDesign (SRND) Continue your Networkers at Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books Designing Content Switching Solutions: ISBN: X By Zeeshan Naseh, Haroon Khan Available Onsite at the Cisco Company Store 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60.scr 30

31 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Don t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October Go to the Collaboration Zone in World of Solutions or visit Cisco Systems, Inc. All rights reserved. Cisco Public Cisco Systems, Inc. All rights reserved. Cisco Public 62.scr 31