Cisco Cisco Prime Network Services Controller Adaptor for DFA 产品宣传页
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 4 of 45
Table 1 summarizes some typical firewall deployment scenarios in traditional data centers.
Table 1.
Typical Firewall Deployment Scenarios
Deployment Option
Description
Tenant-edge firewall
The firewall acts as an ultimate gateway for a particular tenant (Virtual Routing and Forwarding [VRF] instance). All
traffic that needs to leave a particular VRF instance must traverse this firewall and be subjected to its policies and
filtering.
traffic that needs to leave a particular VRF instance must traverse this firewall and be subjected to its policies and
filtering.
In this scenario, the tenant can consist of one or more subnets. The inside interface of the tenant-edge firewall is
attached to a subnet within a given tenant (VRF instance), and the external interface connects to an external VRF
instance. This scenario is sometimes referred to as VRF stitching.
attached to a subnet within a given tenant (VRF instance), and the external interface connects to an external VRF
instance. This scenario is sometimes referred to as VRF stitching.
East-west Layer 3
firewall
firewall
The firewall acts as a default gateway for one of more protected subnets and has one or more internal interfaces
attached to these subnets. The outside interface connects to an external unprotected subnet.
attached to these subnets. The outside interface connects to an external unprotected subnet.
Layer 2 transparent
firewall
firewall
The firewall acts as a bridge and is inserted between protected and external network segments. The Layer 2
transparent firewall performs VLAN stitching and applies policies to all data traffic that passes through. This
deployment scenario is not covered in this document.
transparent firewall performs VLAN stitching and applies policies to all data traffic that passes through. This
deployment scenario is not covered in this document.
Layer 3 transparent
firewall
firewall
The firewall acts as a router, attracting traffic for one or more protected subnets, either through routed prefix metrics
manipulation or connection between the Layer 2 and 3 aggregation router and the core router. This deployment
scenario is not covered in this document.
manipulation or connection between the Layer 2 and 3 aggregation router and the core router. This deployment
scenario is not covered in this document.
Host-based firewall
The firewall can be deployed on a host-by-host basis and is used to protect a given host. This deployment scenario
is not covered in this document.
is not covered in this document.
Today, Cisco Nexus
®
switching platforms, including Cisco Nexus 2000 Series Fabric Extenders, Cisco Nexus 5600
platform switches, and Cisco Nexus 6000 and 7000 Series Switches, can all be deployed in Cisco Unified Fabric
with the firewall scenarios listed in Table 1 in the traditional, manual way. In the traditional approach, the firewall
connectivity and integration, planning, and implementation are delivered using traditional Layer 2 switching and
Layer 3 routing mechanisms, such as Spanning Tree Protocol (STP), Multiple Spanning Tree Protocol (MST), and
various First-Hop Redundancy Protocols (FHRPs) such as Hot Standby Router Protocol (HSRP), Virtual Router
Redundancy Protocol (VRRP), and Gateway Load Balancing Protocol (GLBP). These are well known and widely
deployed protocols with a large number of associated best practices. However, stability or scalability issues may
arise when these traditional mechanisms are used for building large Layer 2 fabrics.
Cisco Unified Fabric with optimized networking helps eliminate risks associated with large Layer 2 fabrics by
deploying distributed gateways and other mechanisms. To further reduce the risks associated with integration and
implementation steps, Cisco Unified Fabric with optimized networking can take advantage of automation and
orchestration tools. Workload automation simplifies routine tasks, and optimized networking dramatically improves
overall network stability and scalability.
Introduction to Optimized Networking in Cisco Unified Fabric
Building a data center fabric has traditionally involved a trade-off between the flexibility of forwarding Ethernet
frames at Layer 2 (switching), and the stability and small failure domains of forwarding IP packets at Layer 3
(routing). Optimized networking allows Cisco Unified Fabric to offer the best attributes of Layer 2 switching and
Layer 3 routing concurrently. The difficult trade-off decisions no longer need to be made. Cisco Unified Fabric with
optimized networking results in small failure domains, with any IP subnet supported anywhere on the fabric
concurrently through the use of a simple distributed default gateway mechanism. Redundant switching models for
spine and leaf elements also provide N+ redundancy across the entire fabric. Other properties of optimized
networking include the Clos topology with high bisectional bandwidth and uniform reachability and deterministic
latency.
Optimized networking uses Cisco FabricPath frame encapsulation for efficient forwarding based on a Shortest Path
First (SPF) algorithm for unicast and multicast IP traffic. Host and subnet route distribution across the fabric is
accomplished using a scalable Multiprotocol Border Gateway Protocol (MP-BGP) control plane.