Re: Data Center Design - Are discrete routers needed?

["Everett, Alex D" <alex.everett () UNC EDU>]

Gary:

Our situation doesn’t mirror what you are describing. Today, we have data center routers AND data center hardware 
firewalls all at Layer3. The firewalls are only for specific data center networks, not ALL networks, and deny all 
inbound by default.
To you points, in order:

  1.  Not sure I understand what you are saying. Either way, the firewall will need to handle the same load. Here, I 
assume that load is all inter vlan traffic.
  2.  Not really convinced that would be a good strategy. A much more important question is who can manage this 
infrastructure, do they have the expertise, and does your platform support your goals (IPv6, jumboframes, multicast, 
jsrp/hsrp/vrrp, etc.).
  3.  Not really convinced of this. Now you increase the chance of a single failure, power requirements, rack space, 
etc. Planning is more important here (active/passive?, VSS)
  4.  Maybe, maybe not, see item 2.

Make sure to get recommendations if you go with blades, I am just not familiar of many positive experiences, or in 
general.
We have chosen L3 implementations so far and use OSPF for internal routing, which we had to learn.
This gives you more flexibility on location and less port density needs.
You may also want to think where load balancing will fit in.

Sincerely,

Alex Everett, CISSP, CCNA
University of North Carolina


From: "Flynn, Gary - flynngn" <flynngn () JMU EDU<mailto:flynngn () JMU EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Fri, 29 Apr 2011 16:02:41 +0000
To: <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Data Center Design - Are discrete routers needed?

Hi,

We're contemplating new architectures for our data centers. One of our discussions involved whether it is necessary to 
have both distribution routers and firewalls inside the data center. My contention is that firewalls can handle any 
internal data center distribution needs as any layer 3 routing or vlan support needs are a subset of firewall 
functionality and easily handled by them. Additionally, the firewalls are going to be present in either architecture 
and be inline with any traffic so their performance and reliability capabilities have to be on par with other inline 
devices anyway. Simply bring the traffic to the data center and terminate it in either a simple router with one leg to 
the firewall infrastructure or into the firewall infrastructure itself. This, to me, decreases unnecessary complexity 
and cost. The other side of the argument says:

  *   firewalls won't be able to handle the aggregate performance needs
  *   best of breed devices designed specifically for routing should be used rather than firewalls
  *   having two sets of devices will be more reliable as it will provide more configuration and downtime response 
options
  *   routers will have more features and capabilities to support redundant, high availability paths between multiple 
data centers.

We're also trying to decide where firewall blades installed in routers fit in the schemes.

Any opinions? ;)

If you don't want to respond publicly, all non-list responses will be kept confidential and will be shared only within 
the small IT group evaluating options. I'll also anonymize the response before sharing internally if you desire.

If enough off-list responses are received, I'll anonymize the responses and re-post a summary unless asked not to.

Thanks in advance for any opinions or experiences.



--
Gary Flynn
Security Engineer
James Madison University