I am going to setup a private network for my servers in my colo racks. I need some suggestions as what equipments I need to setup a redundant network and provide some of the requirements I need. Also how do I setup this whole thing up is welcome.
Expected traffic is 100 Mbps and upward to 1Gb in near future.
Want to provide some hardware firewall/filtering and basic DOS protection, but need the option to turn off/on for some IPs, as some servers are private and some are public.
Need traffic shapping, bandwidth monitoring, calculation etc.
Is vlan a prefer setup if I want to move ip from server to server? Let's say I want to route a ip to another server from original server when i wanted to.
I am not putting a budget down to keep options open, but in case you need it to provide necessary info, I would say at least 5000 is for sure. but nothing is set. Of course if I can get what I want for less that's fine
You might look at a Cisco 3550-SMI, or if you wish to utilize multiple upstream connections to your ISP/Co-lo Provider, the 3550-EMI. It has hardware ACL, rate-limiting/policing, and the EMI router speaks BGP and OSPF. It does not have enough memory for full BGP tables, but it sounds like you just need some basic redundancy -- you can get that by speaking BGP to your provider and accepting a default route from them on each of two sessions. You don't need the full BGP table.
Note the EMI doesn't have ACL matching for TCP bits (I think) and does not do TCP proxy or flow-based firewalling, so it is not really a good firewall; it's a good layer 3 switch with basic ACL features that you can use on a TCP/UDP address:port basis to be a little bit careful with your traffic, and you can implement basic filters to drop traffic if you receive an attack.
Realistically, 100Mb/s - 1Gb/s is not enough to withstand the kind of DoS attacks that are commonly seen today. No matter what kind of box you buy, if you get a big attack you'll have to call your ISP and ask them to filter it.
If your access switch dies where the server is connected to in above design, you're out of luck unless you're dual-homing your servers. everything else above is running redundancy via STP, HSRPs or perhaps L3 EIGRP? If you have l3 switches.
Now, you said you wanted to introduce a 'new' subnet into the mix where you will have your 'own' private network yes? This could be simply done by adding pair of access switches to the above design, or even using the existing switches and VLAN them out ,considering your distributed switches are Layer 3 compatible and can inter-route between the different subnets/VLANs.
The lowest end of l3 switches are 3550 ($2k) + ($2k for EMI software that allows you to route).
So thats one solution, get pair of 3550's with EMI for your distribution layer and route + filter with ACL's between your access layer switches and your uppoer routers.
If you need more help PM me.. I can write a whole book on solutions, i would need lot more detail info from you to give YOU the one solution you looking for.
Yes. That network map is what's in my mind. I just want to put a big picture, rather than what I will setup, because I want to know what's available and the options available etc. $5000 is not fixed, just a minimum, it is just for reference, as long as it is working. Right now looking for ideas and suggestions.
makesecure : If you have more info to need more information, we can pm each other.
One basic setup with the picture above would be:
Use 3550-24 +G with EMI for your distribution Layer (4k list)
Use 3550-24 +G with SMI for your access switches (2k list)
Pick 26xx +mods base on your bandwidth intake and module requirement. High end 26xx = 2691 come with 2 fixed FE, with upto 256/128 (ram/flash) gets upto 70 Kpps performance.
Redundancy and load balancing of two routers would be accomplished by a) routing protocol between distribution switches and 2 routers such as EIGRP. b) just use HSRP between router/distribution.
Redundancy between the distribution and access switches would be base on Spanning Tree Protocol (STP). This I recommed to tweak to avoid the 40-50seconds delay. If you have the $... you can get L3 compatible switches even for your access layer switches and run routing protocol to achive high-end redundancy and recovery times than STP.
Redundancy between the host and access switch is none, unless you dual-home.
Run ethernet channel trucks between the switches for 'cable' redundancy and increase internal bandwith performance. But you will lose # of port-counts available for servers.
You should be able to connect upto 20 3550-24 SMi access switches with this design giving you about 22x20 server ports, depending on your cabling.
3550 are QOS compatible, you will be able to route between the private/non-private vlans, NAT or use ACL on the l3 distribution switches.
I would stick pair of firewalls between the routers and distribution switches, can even create a little DMZ with it for Mng servers or ...
You can always go 1000mb ethernet or fiber just pick different switches or routers.