12 – Network and Security Service Placement

Modern firewalls, load balancers, and most stateful devices support the concept of virtual context, which is the ability to support multiple virtual firewalls or virtual load balancers. Up to 250 virtual contexts, fully autonomous and isolated from each other, can be enabled on a single physical appliance or service module.

To offer the high availability service required for business continuity, firewalls and load balancers work by pairing physical devices. Both devices remain active while the virtual contexts run in an active/standby fashion. In addition to providing redundancy, this mechanism distributes the active context between the two devices, improving the total throughput for active workflows.

When interconnecting multiple data centers and deploying firewalls and other stateful devices such as load balancers, the distance between remote sites is an important consideration.

When data center sites are deployed in close proximity (such as within the few kilometers that is typical for large campus deployments), they can be considered a single, physically-stretched data center location. Under these premises, it would probably be acceptable to deploy the stateful devices in a stretched fashion, with one physical member of the HA pair in each data center site. For deployments where the distance between locations is farther, a pair of HA devices is typically deployed in each physical data center.

There are some important reasons to maintain each active/standby pair within the same data center. Redundancy is controlled by two devices[1], which means that dispersing the active/standby contexts in two different locations would limit the maximum number of data centers to two.  On the other hand, keeping the active/standby pair of network services inside the same physical data center, allows replicating the same security policies in more than two data centers.

In addition, the link between the physical devices used for health check and process synchronization (replication of the active flows for stateful failover) must be extended in a very solid fashion. Due to its function of fault tolerance, it is also very sensitive to latency.

Last but not least, security and optimization functions usually require maintaining a stateful session. Therefore, for the same session, the traffic should be returned to the original virtual context that acknowledged the first flow, otherwise the flow will be dropped.

This behavior of symmetrical paths should be controlled and maintained, especially with the migration of VMs over a LAN extension as explained in the next topics.

This entry was posted in DCI. Bookmark the permalink.

5 Responses to 12 – Network and Security Service Placement

  1. santsboy says:

    Hi Yves,

    I was planning to create a 5585-x FW cluster between twin DC’s. I was thinking of using 4 FWs between the 2 DCs and create a cluster to be more efficient with state-full applications.

    I was wondering if there is any document that would explain this architecture? In cases there isn’t, do you know when approximately we will have one?

    Thank you very much.

    Regards,

    Santsboy

    • Yves says:

      Hi Santasboy

      I’m planning to write an article dedicated on this great solution, but my last dust of neurone is a bit under water these days.
      Actually I have presented this solution at Cisco Live Milan few weeks ago, I guess it has been taped.

      In the meantime that I can find some time to write this note on ASA clustering for DCI, feel free to contact me directly so I can share with you my recommendations

      use ylouis@cisco.com

      Let me know, yves

  2. santsboy says:

    Hi Yves,

    Thank you very much for the info. I just saw your presentation and that’s what I was looking for. Thanks for the email I will send you the diagram when I will have it more developed. Now I am at the phase of choosing the equipment.

    My questions now are related to MDS and VPLEX. It is a must to use MDS with VPLEX? And the other one is I am forced to use a dedicated link to interconnect the VPLEX engines?

    Price grows a lot if I am forced to use MDS 🙁

    Thank you very much for your help Yves, much appreciated it.

    Regards,

    Santsboy

    • Yves says:

      Hi Santsboy

      You can use the MDS with VPLEX metro or Geo VPLEX. I can see two added values, one is that there are a couple of validated designs that you can rely on.
      Secondly there is a great feature on the MDS called IO acceleration that you can leverage to accelerate the synchronous data replications (X2).

      In regards to VPLEX, that’s my understanding that you have to use a dedicated SAN between the VPLEX clusters, but the best would be to contact a technical EMC representative to confirm that point.

      All that said, to give you a more exhaustive and accurate response with MDS, I’ll need to see your architecture.

      Thanks, yves

  3. santsboy says:

    Hi Yves,

    thank you very much for the reply, much appreciated. I have sent you an email with the details.

    Thanks a lot for all the help.

    Regards,

    Sants boy

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.