Data Center Design and Implementation With 6500 Service Modules - Overview

Data Center Design and Implementation
with Cisco Catalyst 6500 Service Modules:

Overview
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to
comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable
protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital
devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:
• Turn the television or radio antenna until the interference stops.
• Move the equipment to one side or the other of the television or radio.
• Move the equipment farther away from the television or radio.
• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits
controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.;
Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA,
CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo,
Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net
Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,
ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered
trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0304R)
Data Center Design and Implementation with Cisco Catalyst 6500 Service Modules: Overview
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
CONTENTS

with Cisco Catalyst 6500 Service Modules: Overview 1
Service Module Overview 1

Firewalling and Load Balancing in the Data Center 1
The Benefits of Using Service Modules in the Data Center 2
Recommended Hardware 3
Stateful Inspection with the FWSM 4
Load Balancing with the CSM 5
Multi-Tier Server Farms 6
Design Overview 8
MSFC, FWSM, and CSM Design 8
Routed Mode Versus Bridge Mode 11
Version 2.0 iii
Contents
iv Version 2.0
with Cisco Catalyst 6500 Service Modules:
Overview
This document is the first in a series of four documents that provide design guidance for implementing
Cisco Catalyst 6500 service modules as part of a secure, highly available, scalable data center
architecture:
• Data Center Design and Implementation with Cisco Catalyst 6500 Service Modules: Overview
• Firewalling and Load Balancing in the Data Center Using Cisco Catalyst 6500 Service Modules
• CSM One-Arm Design in the Data Center
• ΙDSM Design in the Data Center
This document includes the following sections:
• Service Module Overview, page 1
• Design Overview, page 8
This document provides an overview of design and implementation recommendations for the use of
Cisco Catalyst 6500 service modules in a data center.
Service Module Overview

This section includes the following topics:
• Firewalling and Load Balancing in the Data Center, page 1
• The Benefits of Using Service Modules in the Data Center, page 2
• Recommended Hardware, page 3
• Stateful Inspection with the FWSM, page 4
• Load Balancing with the CSM, page 5
• Multi-Tier Server Farms, page 6
Firewalling and Load Balancing in the Data Center

Data centers are composed of devices that provide the following functionality:
Version 2.0 1
• Network connectivity, provided by switches and routers

• Network and server security, provided by firewalls and Intrusion Detection Systems (IDSs)
• Availability and scalability of applications, provided by load balancers, SSL offloaders, and caches
In addition, a Network Analysis Module (NAM) is typically used to monitor the functioning of the
network and the performance of the server farm.
This design document focuses on using firewalls and load balancers in the data center. Load balancers
distribute incoming requests to multiple servers, while firewalls analyze the traffic to avoid common
attacks to the server farm.
Although load balancing and firewalling can be deployed individually, these two technologies are often
deployed together, especially in multi-tier server farms with multiple tiers of a given application running
on separate machines. In multi-tier environments, firewalls are used as a security mechanism between
the tiers, and load balancers are used between the tiers to provide load balancing.
The Benefits of Using Service Modules in the Data Center

Data centers often include a variety of server platforms and operating systems, including legacy
platforms and systems. All the server farms need to communicate over the network infrastructure and
they often need similar services, such as protection against Denial of Service (DoS) attacks, load
distribution and so on. Obtaining these services from the network simplifies server configuration and
administration.
Security and load balancing services in the data center can be provided either with appliances or with
Cisco Catalyst 6500 linecards. The choice between the two family of devices is driven by considerations
of performance, rack space utilization, cabling and features that may be provided by a specific device.
Service modules are cards that you plug into the Cisco Catalyst 6500 to provide firewalling, intrusion
detection, content switching, and SSL offloading. Each card provides a different functionality and takes
one slot in the Cisco Catalyst 6500 chassis. Examples of these modules are the following:
• Content Switching Module (CSM)—165,000 connections per second (cps), 1,000,000 concurrent
connections, 4 Gbps of throughput.
• Firewall Service Module (FWSM—8 Gbps fabric attached, 100,000 cps, 5.5 Gbps of throughput,
1,000,000 concurrent connections.
• SSL System Module (SSLSM)—8 Gbps fabric attached, 3000 new transactions per second, 60,000
concurrent connections, 300 Mbps of throughput.
• Intrusion Detection System Module (IDSM-2)—8 Gbps fabric attached, 600 Mbps of throughput.
Service modules communicate with the network through the Cisco Catalyst 6500 backplane or fabric.
Service modules simplify and improve the deployment of services in the following ways:
• Service modules offer a single configuration point as opposed to many hardware and software
configurations (for example, you can enable SYN_COOKIEs on a CSM as opposed to enabling this
function on hundreds of servers).
• Service modules can be added to an existing switching infrastructure of Cisco Catalyst 6500s
without the need to provision additional cabling (power, network and console).
• A single service module can replace several smaller appliances and, in the case of the FWSM, can
be virtualized.
• Service modules are VLAN-aware, which makes consolidation and virtualization of the
infrastructure easier.
• Rack space utilization is optimized.
2 Version 2.0
• Performance is improved.
As an example of rack space utilization, consider that a PIX 535 firewall takes 3 Rack Units (RUs), while
the FWSM takes one slot in a Cisco Catalyst switch. This means that an FWSM inside a Cisco Catalyst
6513 takes 1.4 RUs (19 RU/13 slots).
Recommended Hardware
The recommended Cisco data center hardware includes Cisco Catalyst 6500s at the aggregation layer
and one of the following platforms at the access layer:
• Cisco Catalyst 6500
Figure 1 shows the data center architecture with firewalls and load balancers. You can use either service
modules or service appliances attached to the aggregation switches. As shown in Figure 1, many service
modules can be deployed in a data center.
However, this design document focuses on firewalls and load balancers because these devices are
typically in the main traffic path between the client and the server farms that require protection and load
balancing. For this reason, careful integration of these devices with the data center routers and switches
is very important for successful deployment.
Version 2.0 3
Figure 1 Data Center Architecture
Enterprise
campus core
Aggregation layer
Access
Mainframe
114028
Load Firewall SSL Cache Network IDS sensor
balancer offloader analysis
Stateful Inspection with the FWSM

Firewalls are deployed in data centers to provide the following functions:
• Network Address Translation (NAT)
• Packet filtering (ACLs)
• DoS protection
• Stateful filtering
The FWSM is a 5.5 Gbps firewall, which supports up to 1,000,000 concurrent connections, 100,000 cps,
and 3 M packets per second (pps). Up to 4 FWSMs can be inserted in a Cisco Catalyst 6500 chassis to
provide approximately 20 Gbps of throughput.
The FWSM runs the PIX operating system, which provides the Adaptive Security Algorithm (ASA) and
allows the FWSM to examine network sessions and verify their validity. The FWSM maintains state
information for the existing connections and prevents operations that violate normal TCP or UDP
behavior.
The following are some of the security features offered by the FWSM:
4 Version 2.0
• Initial Sequence Number (ISN) randomization—The ISN used by most TCP/IP stacks is not random
enough, which makes it possible for an attacker to perform session hijacking. You can randomize
the ISN by placing a FWSM in front of the server farm, which reduces the chances of session
hijacking.
• Embryonic connection limitation—This feature protects the server farm from DoS attacks by
intercepting half-open connections that occur with a rate higher than the configured threshold.
• Monitoring of TCP connections (IP addresses, source and destination ports, sequence numbers,
flags, and so on).
• Stateful filtering on complex protocols with fixups—The FWSM can open ports dynamically for
protocols that open multiple connections. The protocols supported by the FWSM include the
following: FTP, RPC, RSH, H.323v2, SQL*NET, NetBios over IP, RTSP, SIP, XDMCP, Skinny,
DNS, SMTP, VDOLive, IRC, CUSeeMe, Microsoft Netshow, Real Audio, and TFTP.
• Packet filtering with up to 80 K access list entries.
• Unicast RPF checks—The FWSM can verify the source IP address of a packet against its routing
table and drop the packet if it appears on an unexpected interface. This prevents attacks that use
source IP spoofing.
• Protection against fragments attacks (such as RFC1858 attacks) by performing a virtual reassembly
of packets.
• Syslog reporting—The FWSM can log information about traffic matching access list entries.
For more information about FWSM, refer to the following website, which requires a Cisco.com
password:
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_data_sheet09186a00800c
4fe7.html
Load Balancing with the CSM

Servers requiring maximum availability are often placed behind a load balancer. Load-balanced server
farms benefit from load distribution, application monitoring, and application layer services such as
session persistence. Load balancers make it easy to activate new servers by gradually adding new
connections to give the time for the newly activated server to ramp up. Load balancers also make it easier
to take a server out of a cluster without breaking existing connections.
Load-balanced server farms include web and application servers, DNS servers, LDAP servers, RADIUS
servers, TN3270 servers, streaming servers, and e-mail servers.
Note The document at the following URL outlines some of the popular application of load balancing:
http://www.cisco.com/warp/public/cc/pd/cxsr/400/prodlit/sfarm_an.htm
The CSM is a 4 Gbps load balancer, capable of setting up 165,000 Layer 4 cps and capable of
maintaining 1,000,000 concurrent connections.
The CSM can load balance most applications as long as the IP address and the Layer 4 ports are known.
The CSM has additional knowledge of HTTP, DNS, FTP, RTSP, SMTP and can read into the HTTP
header fields, which makes it easy to interoperate with most J2EE-based and .NET-based application
servers.
The CSM can monitor server availability using various methods, including the following:
Version 2.0 5
• Probes, which consist of traffic generated by the CSM that emulates the application being
monitored, such as DNS or HTTP requests, and ICMP or SMTP messages.
• In-band monitoring of the TCP connection setup process between clients and servers.
• Return code checks, which monitor the HTTP request/response process between clients and servers.
Return code checks provide the most comprehensive application monitoring mechanism. The CSM also
provides a DNS server that can resolve the DNS name of an application server to the most appropriate
IP address, based on server availability. For more information about the CSM refer to the following
website, which requires a Cisco.com password:
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_data_sheet09186a008008
87f3.html
Multi-Tier Server Farms

Most web-based applications today use a multi-tier model, running as different processes that
communicate through inter-process communication, or on different server machines that communicate
over the network.
Multi-tier server farms running on different server machines can provide better resiliency and security.
Resiliency is improved because a server can be taken out of service while the same function is still
provided by another server that belongs to the same application tier. Security is improved because even
if an attacker compromises a web server, this does not provide access to the actual application or to the
database, which are hosted on separate server machines. Typically, the following three tiers are used:
• Web-server tier
• Application tier
• Data base tier
Resiliency is achieved by load balancing the network traffic between the tiers, and security is achieved
by placing firewalls between the tiers. You can achieve segregation between the tiers by deploying a
separate infrastructure made of aggregation and access switches or by using VLANs.
Figure 2 shows the design of multi-tier server farms with physical segregation between the server farm
tiers. The left side of the diagram shows the design with external appliances, while the right side of the
diagram shows the design with service modules.
6 Version 2.0
Figure 2 Multi-Tier Server Farms Using Appliances and Service Modules
Web servers
Web servers
Application
servers
114030
Database Application
servers servers
Figure 3 illustrates how to use VLANs to segregate server farms instead of using separate tiers of
switches. Physical segregation provides better performance because each tier of servers is connected to
dedicated hardware. Logical segregation with VLANs simplifies the server farm. The model you should
choose depends on your network performance requirements and traffic patterns.
Figure 3 Logical Segregation with VLANs
Web servers
Database
servers
Application
servers
114031
Web
Application servers servers
The left side of the diagram shows the physical topology, while the right side of the diagram shows the
VLAN allocation across the firewall, load balancer, and switch. The firewall is the device that routes
between the VLANs, while the load balancer, which is VLAN-aware, also enforces the VLAN
segregation between the server farms. Notice that not all the VLANs require load balancing. In this
example, the database sends traffic directly to the firewall.
Version 2.0 7
Design Overview
Design Overview
This section describes the design choices you may need to make when using the FWSM and the CSM,
which provide security and Layer 5–7 services, and are placed in the main path of the traffic between
client and server. It includes the following topics:
• MSFC, FWSM, and CSM Design, page 8
• Routed Mode Versus Bridge Mode, page 11
MSFC, FWSM, and CSM Design

The default gateway for a server in a data center can be a router, a firewall, or a load balancer. In the
same data center, some server farms use only Layer 2 and Layer 3 functions, some use only load
balancing or firewalling, and some use both firewall and load balancing services. Firewalling and load
balancing can be provided by placing these devices in front of the server farm either in transparent mode
or bridge mode, or by making the firewall or the load balancer the default gateway for the server farm.
Figure 4 shows four gateway placement options.
Figure 4 Gateway Placement Options

114057
A B C D
The four gateway placement options are as follows:

• (A) Servers send traffic directly to the router. The default gateway configured on the servers is the
IP address of the router.
• (B) Servers send traffic to the load balancer and the load balancer forwards the traffic to the router.
The load balancer is deployed in bridge mode between the server farm and the router. The gateway
configured on the servers is the IP address of the router.
• (C) Servers send traffic to the load balancer, and the load balancer forwards the traffic to the firewall.
The firewall then sends traffic to the router. The gateway configured on the servers is the IP address
of the firewall.
• (D) Servers send traffic to the firewall, which in turn forwards the traffic to the router. The gateway
configured on the servers is the IP address of the firewall.
8 Version 2.0
Design Overview
Configuring the router as the default gateway (A) provides the best performance. Placing the load
balancer in bridge mode between the server farm and the firewall and configuring the firewall as the
default gateway (C) provides the maximum number of application and security services.
The relationship between the service modules and the MSFC can also vary, as shown in Figure 5.
Figure 5 Figure 5: MSFC, FWSM, CSM Logical Placement Options
A Core B Core C Core
D Core E Core F Core G Core
119493
The various relationships between the service modules and the MSFC are as follows:
• Option A, which is the focus of this series of documents, places the MSFC facing the core. This
configuration allows using Layer 3 links for connecting with the core of the network and this
configuration is necessary for supporting WAN links. Also, with the MSFC facing the core, you can
segregate multiple server farms with a single firewall device by means of VLANs. This lets you
establish an isolated security zone for each server farm segment, with the FWSM routing between
the segments.
• Option B differs because the FWSM and the CSM are swapped.
• Option C uses the firewall to route between two security zones: the core and the data center.
Version 2.0 9
Design Overview
• Option D is similar to option C, with the CSM used in “one-arm mode”. For further information
about this configuration, refer to the document “CSM One-Arm Design in the Data Center.” This
design optimizes throughput for server-to-server traffic at the cost of a slightly more complex
configuration.
You can configure the CSM with source NAT to ensure that it sees the return traffic or with the
Policy-Based Routing (PBR) option on the MSFC. As with option C, the FWSM is located outside
the MSFC and only two security zones are supported: the enterprise core and the data center.
• Option E is also similar to option C and option D, with the CSM deployed in Direct Server Return
(DSR) mode. This option offers increased throughput for server-to-client traffic and server-to-server
traffic. However, the CSM sees only the client-to-server traffic, and advanced Layer 5–7
functionalities cannot be applied to any traffic.
• Option F provides server farm segregation by means of the FWSM and gives better performance for
server-to-server traffic than Option A. However, it requires configuring source NAT on the CSM or
PBR on the MSFC.
• Option G uses the CSM in DSR mode for increased server-to-server and server-to-client throughput.
Table 1 rates the different options, using a scale from * to *****. This design guide focuses on Option
A because it provides the maximum security and Layer 5−7 functionality with a relatively simple
configuration.
Table 1 Service Module Deployment Options
(A) (C) (D) (E) (F) (G)

L5−L7 ***** ***** ***** *** ***** ***
Security ***** *** *** *** ***** ****
Server-to-server *** *** ***** ***** **** ****
performance
Server-to-client **** **** **** ***** **** ****
performance
Connectivity with ***** *** *** *** ***** *****
the core
Ease of **** ***** *** ** *** **
configuration
The meaning of the rating for each function on this table is as follows:
• L5−L7—Refers to the capability of learning the session information and using it for session
persistence purposes. It also refers to the capability of monitoring the communication between
clients and servers to detect the presence of malfunctioning servers.
• Security—A high score means that a single firewall is segregating multiple server farms thus
ensuring stateful inspection not only for client-to-server communication but also for server-to-server
communication. A high score means that the design allows you to create multiple DMZs.
• Server-to-server performance—Refers to the available bandwidth for server-to-server
communication or to the connection setup rate for server-to-server load-balanced traffic. The fewer
devices are in the path between the servers, the better performance, and the lesser functionalities.
• Server-to-client performance—Refers to the fact that the fewer devices are in the server-to-client
path, the better throughput you get for server-to-client traffic.
10 Version 2.0
Design Overview
• Connectivity with the core—Refers to the capability of having Layer 3 links with the core network
and to the flexibility of using multiple routing protocols with the core network.
• Ease of configuration—Refers to the relative ease of implementation and maintenance.
Routed Mode Versus Bridge Mode

Firewalls and load balancers are normally deployed in two modes:
• Single subnet bridge mode—The device bridges traffic between client-side and server-side VLANs.
In this mode, the Cisco Catalyst 6500 MSFC provides the default gateway for the servers. This mode
allows administrators to leverage Cisco IOS high availability features, like the Cisco HSRP (Hot
Standby Router Protocol), which support redundant default gateways for the servers.
• Routed mode—The device routes traffic between client-side and server-side VLANs belonging to
different subnets.
In bridge mode, the traffic flowing from a server farm on one VLAN to a server farm on a different
VLAN traverses the device twice because routing occurs on the MSFC. This reduces the forwarding
performance available because a single flow uses the device twice. However, this design guide uses
bridge mode for the CSM because it provides direct server access for management and it easily supports
server-originated connections and multicast traffic. The advantages and disadvantages of the two modes
are summarized in Table 2.
Table 2 Advantages and Disadvantages of Routed Mode and Bridge Mode
Router Mode Bridge Mode

Direct server access More complex Automatic
Server-originated connections More complex Automatic
Multicast support Not supported Automatic
IOS functions (DHCP and so on) Some supported / some not Automatic
Server-to-server performance Higher Reduced
Version 2.0 11
Design Overview
12 Version 2.0

Data Center Design and Implementation With 6500 Service Modules - Overview

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Data Center Design and Implementation With 6500 Service Modules - Overview

Diunggah oleh

Hak Cipta:

Format Tersedia

Data Center Design and Implementation

with Cisco Catalyst 6500 Service Modules:

• Turn the television or radio antenna until the interference stops.

• Move the equipment farther away from the television or radio.

Data Center Design and Implementation

Service Module Overview 1

Service Module Overview

Firewalling and Load Balancing in the Data Center

• Network connectivity, provided by switches and routers

The Benefits of Using Service Modules in the Data Center

Figure 1 Data Center Architecture

Stateful Inspection with the FWSM

Load Balancing with the CSM

Multi-Tier Server Farms

Figure 2 Multi-Tier Server Farms Using Appliances and Service Modules

Figure 3 Logical Segregation with VLANs

MSFC, FWSM, and CSM Design

Figure 4 Gateway Placement Options

The four gateway placement options are as follows:

Figure 5 Figure 5: MSFC, FWSM, CSM Logical Placement Options

A Core B Core C Core

D Core E Core F Core G Core

Table 1 Service Module Deployment Options

(A) (C) (D) (E) (F) (G)

Routed Mode Versus Bridge Mode

Table 2 Advantages and Disadvantages of Routed Mode and Bridge Mode

Router Mode Bridge Mode

Anda mungkin juga menyukai