Hi all, I've got two questions relating to data centre networking, firstly is if I've got our new re-design correct in my head and secondly following that plan we'll have an increased reliance on ACLs on our switches and I wanted to know if there's an easier GUI based way to manage ACLs.
Firstly, our current set up consists of an HA pair of firewalls doing all L3 in the DC, including all inter-VLAN traffic which is the main reason we want to move away from this set up. The firewalls have an internet breakout, WAN link DMZ and multiple other VLANs on them, prod, test, dev, voice, SQL etc. We currently manage rules between VLANs using the firewalls which have a decent GUI making it simpler to manage and harder to make mistakes. South of those firewalls is a pair of nexus 5k switches, 3 UCS chassis and a iSCSI SAN.
The problem with this is that there's only a 1gbps link between the nexus and the active firewall with all of the default gateways for our VLANs being sub interfaces on the 1gbps interface. Not a great design I know, we used to have a pair of 3925s doing our inter-VLAN routing with ACLs controlling traffic between VLANs. They were a bit of a pain to manage as there was only me at the time who had knowledge of working with them. Our MSP suggested those routers were unnecessary when they upgraded our firewalls (the previous ones only had 10/100 interfaces). We've grown a lot since the last upgrade though and are back in a position where we need to re-think things.
The plan is to use the Nexus switches for the inter-VLAN routing (they're currently only doing L2). Create a new small subnet between the Nexus switches and the firewalls and set the default route on the Nexus to point at the new firewall IP. This plan takes all of the inter-VLAN traffic away from the firewalls, freeing them up to do what they were intended for. However, we lose the nice GUI based method for controlling our inter-vlan traffic and would be back to ACLs on the Nexus switches (something I'd like to avoid). Is there a solution that can help us manage the ACLs with a GUI and ideally where changes can be verified before being made? We use proper Cisco in our datacentre but are migrating to Meraki in our branches and their dashboard has spoilt me with how easy it is.
I realise it's a wordy post so thanks for sticking with me.
No comments:
Post a Comment