To begin with, I've spent about 3 full days reading post, after post, trying to grasp the best approach to our network.
We are an existing company providing dedicated and shared hosting, we use 2 data centre sites in the UK, but for the purpose of this post, I'll only refer loosely to 1 deployment.
Our network infrastructure could do with a little 'professional' attention (pm me if you are interested), whilst I'm capable and happy to learn, my practices might not always be the best/most efficient/secure.
Our current (simplified) network is so:
See attached 'main_network_concept.png'
We have IP subnets routed from our DC provider to either the customers dedicated firewall or a main shared firewall.
Each dedicated customer *without* a dedicated firewall has their own VLAN, with routing provided via "router on a stick" using the layer 2 switch and main shared firewall.
Each dedicated customer *with* a dedicated firewall is just plugged directly into their respective firewall.
All firewalls have an IP from our main glue/routing block and are attached to the layer 2 switch (in a dormant VLAN) together with an fast ethernet uplink to our DC provider.
My reason for concern at the moment is that customers with a dedicated firewall *could* change their firewall IP, and that the main shared firewall is going to become a bottleneck performing routing VLAN traffic.
My intention is to replace the layer 2 switch, with a "core" layer 3 switch - so that it can handle VLAN routing and release the burden from the main shared firewall. Like this ...
See attached 'planned_network_concept.png'
Some current statistics:
As of now
Number of VLANs: 10
Number of dedicated servers: 13
Average monthly throughput: 4Mbit
Estimates for next 12 months
Number of VLANs: 20
Number of dedicated servers: 24
Average monthly throughput: 25Mbit
Budget for layer 3 swich: £1k
Number of ports required: 1 for uplink
1 for trunking to layer 2
In terms of a layer 3 "core" switch, after much reading, I narrowed it down to the Cisco 3560, Foundry FESX424-PREM, HP E3500 yl the Juniper EX3200. Gigabit isn't important, as I feel our commit will always be under 100Mbit, and once it exceeds this, I'll upgrade the switches to more capable units anyway.
The Cisco is the only one that appears to fall into my budget.
It looks like the base IP software will be sufficient for my purposes. The number of ports isn't really important as it will be trunked off to the layer 2 switch. So these looked good to me:
(Ignoring the simplified diagrams) I will be buying 2 switches and setting them up in HSRP/GLBP and connecting them to the 2 layer 2 switches. Each dedicated server has each NIC bonded (1) and connected to each layer 2 switch. *Redundancy, security and performance is key*
What I'm ultimately asking is,
1. Will these switches be capable for my intended use? VLAN routing, basic rate limiting, basic ACL, trunk to layer 2 switches
2. Is my proposed network the most sensible approach?
3. I recall reading a post here (goo.gl/STgjd) that mentions a situation similar to ours. They mention using RIP to have firewalls "pooled" and routed, rather than having their respective servers to be physically plugged in to firewall's LAN. Have I interpreted this correctly?
4. Who is a capable Cisco switch admin that will implement the above.
Last edited by ben_uk; 05-18-2011 at 04:13 PM.
Reason: added images links
I did look at that switch (infact, most of the Procurve range). But what put me off this the tiny routing table.
Routing Table: 32 entries
The other switches above can support routing tables in excess of 5000 routes. From what I've read, the size of the routing table is important to ensure routing is done in HW rather than SW - correct me if I'm wrong
Yes, the switch is (software based) limited to 32 static routes on its own. So, routes to 32 different subnets:
ip route static 184.108.40.206/24 nexthop-layer3-switch-2
ip route static 220.127.116.11/24 nexthop-layer3-switch-2
ip route static 18.104.22.168/24 nexthop-layer3-switch-2
ip route static 22.214.171.124/24 nexthop-layer3-switch-2
How many subnets will you have, the switch has to deal with? If you have more, well forget that switch. If you have less within the next years... Btw, those are only few static routes, so the cpu has little to do.
If you are not highly concerned with gigabit connectivity, even internally, look at Cisco 3550s. They are dirt cheap and should do what you want without much trouble. If you only need static routing, you should also consider the Juniper EX2200.
Jay Sudowski // Handy Networks LLC // Co-Founder & CTO AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network. Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center. Current specials here. Check them out.
I looked at the 3550 - but after reading a lot of comments on here - it says they really suffer in terms of performance when using more than ~7 VLANs, and that the 3560 is recommend instead as it isn't CPU based like the 3550 range.
That Juniper model looks good, cost-wise, its on a par with the 3560 but the feature-set looks pretty good. I've heard good things about the Juniper range too.
Just in case I'm being particularly dim, in what instance wouldn't I be using static routes?
My intention is to create the new network as above, which means routing specific IP subnets to their respective VLAN. Customers with dedicated firewalls need their routes changing to pass inbound/outbound through the firewall.
Is this all achievable with static routes?
Edit: It looks like VRRP isn't supported on the EX2200 - that's a no go then.
I'm inclined to stretch my budget to £1,300 to get the EX3200 - ultimately, is this worth the ~£600 increase over the 3560 (am I going to see the benefits?)
Last edited by ben_uk; 05-20-2011 at 07:54 PM.