Creating Subnets for Business Applications

Discussion in 'Cisco' started by toureg69@yahoo.com, Dec 9, 2006.

  1. Guest

    All,

    I am kind of a newbie here so please bear with me.

    I have to create an infrastructure where we basically would have
    application servers communicating with database servers constantly. I
    have to create GigE switch fabric, if you will, and connect all these
    Windows based servers to it.

    I was thinking would it be a better practice to create 1 network and
    place all application\database servers in this network to communicate
    with each other, rather than creating 2 networks and place the
    application servers in one network and the databases in the other.

    Mind you, I am planning to purchase a C5000 catalyst switch for this,
    or maybe a c6500 series would work as well.

    My questions are:

    1. Does it make sense to create 1 network for the app\database servers
    or 2 networks to separate the functions?

    2. All servers will be connected to the same catalyst. Will the speed
    increase in terms of communication and processing if on the same
    network or 2 separate ones.

    3. Since they are Windows based systems, which we all know to be very
    chatty on the network, would the 1 network scenario create a huge
    broadcast domain? Whereas using 2 networks would reduce this broadcast
    domain?

    4. Is it safe to say that if using the same switch and same network,
    the servers will be using more layer two type communication, rather
    than layer 3? Because the way I understand these Windows based
    systems, they use the MAC addresses to communicate with each other if
    on the same network. But if communicates spans networks, they will use
    IP, which is layer 3.


    Any insight would be helpful. Thanks in advance!

    John B.
     
    , Dec 9, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:

    >I have to create an infrastructure where we basically would have
    >application servers communicating with database servers constantly. I
    >have to create GigE switch fabric, if you will, and connect all these
    >Windows based servers to it.


    >Mind you, I am planning to purchase a C5000 catalyst switch for this,
    >or maybe a c6500 series would work as well.


    I wouldn't recommend that, for two reasons:

    A) the Cat 5000 series is EOS (End of Sale), so you would not be able
    to buy a new one, would not be able to get support, would not be able
    to "relicense" a used one so as to have legal use of the software
    (which is non-transferable), and would not be able to use modern software
    releases because they don't make them for the Cat 5000 or 5500 anymore.
    http://www.cisco.com/en/US/products/hw/switches/ps679/prod_eol_notice09186a008032d4ae.html

    B) The 5000 and 5500 series are not well equipped to handle
    multiple gigabit interfaces at full speed. The backplane bandwidth
    just isn't there. You can do two full gigabits, but (if my memory
    is correct) you cannot quite do a third. You can get an 8-port gigabit
    line card, but it is "oversubscribed" and cannot handle full-out
    gigabit to all ports even if it all remains on the line cards.

    Between the above, if you are going simple and flat and don't need
    much in the way of WAN capabilities (e.g., NAT or firewall features)
    then it would be much less expensive and much more cost effective to
    go for a Catalyst 2970 or Catalyst 3750. If you need more advanced
    features, then you could consider the Catalyst 4500 series, but
    you cannot get more than about 4 GB/s across the backplanes on those,
    so for business crucial systems with more advanced features, you would
    probably end up in the Catalyst 6500 series.


    >My questions are:


    >1. Does it make sense to create 1 network for the app\database servers
    >or 2 networks to separate the functions?


    Is this all for in-house access, or are there signficant security concerns
    due to outside access? If it is all in-house then the general rules
    are "switching is usually faster than routing" and "each hop adds latency".
    (Note: if it is simple routing without much state inspection or NAT,
    then the Catalyst 3750 route at the same speed as they switch.)
    If you start adding security layers, then you have to start thinking
    along the lines of "If someone outside has access to this device and
    managed to take control of it, which other devices would they be
    able to attack directly or be able to exploit 'trust relationships' to?".
    For security, well-considered isolation is usually better.

    >2. All servers will be connected to the same catalyst. Will the speed
    >increase in terms of communication and processing if on the same
    >network or 2 separate ones.


    See above in part. In the more general situation, where the number of
    broadcasts might be high (NETBIOS, ARP, whatever) then isolation would
    help contain broadcasts and thus reduce network traffic. If you have
    aren't using that bandwidth anyhow or don't have a lot of broadcasts,
    then the general rules above are the guide.

    But I think you should reconsider the "all servers will be connected
    to the same catalyst". That's not a great idea from a security standpoint,
    but even if you have no applicable security concerns, you need to consider
    that this is obviously business critical for the organization and so
    the failure of that single catalyst (or the need for reconfiguration
    or the need for software updates or preventative maintaince)
    would wipe out your organization's data flow. For business critical
    data flows, "Don't put all your eggs in one basket" -- and read some
    of the white papers on Vincent C. Jones' web site,
    networkingunlimited.com


    >3. Since they are Windows based systems, which we all know to be very
    >chatty on the network, would the 1 network scenario create a huge
    >broadcast domain? Whereas using 2 networks would reduce this broadcast
    >domain?


    Windows does not have to imply "chatty on the network". Turn off
    the broadcast NETBIOS, and consider using the LDAP based domain
    registries.

    >4. Is it safe to say that if using the same switch and same network,
    >the servers will be using more layer two type communication, rather
    >than layer 3? Because the way I understand these Windows based
    >systems, they use the MAC addresses to communicate with each other if
    >on the same network. But if communicates spans networks, they will use
    >IP, which is layer 3.


    True if you are selective about your facts and interpretations. For
    a more complete description, please see one of my previous
    postings,
    http://groups.google.ca/group/comp.dcom.sys.cisco/msg/a83c87f45ca0fbc1
    (to which I would add that some layer 3 switches now handle
    the BGP routing protocol.)
     
    Walter Roberson, Dec 9, 2006
    #2
    1. Advertising

  3. BernieM Guest

    <> wrote in message
    news:...
    > All,
    >
    > I am kind of a newbie here so please bear with me.
    >
    > I have to create an infrastructure where we basically would have
    > application servers communicating with database servers constantly. I
    > have to create GigE switch fabric, if you will, and connect all these
    > Windows based servers to it.
    >
    > I was thinking would it be a better practice to create 1 network and
    > place all application\database servers in this network to communicate
    > with each other, rather than creating 2 networks and place the
    > application servers in one network and the databases in the other.
    >
    > Mind you, I am planning to purchase a C5000 catalyst switch for this,
    > or maybe a c6500 series would work as well.
    >
    > My questions are:
    >
    > 1. Does it make sense to create 1 network for the app\database servers
    > or 2 networks to separate the functions?
    >
    > 2. All servers will be connected to the same catalyst. Will the speed
    > increase in terms of communication and processing if on the same
    > network or 2 separate ones.
    >
    > 3. Since they are Windows based systems, which we all know to be very
    > chatty on the network, would the 1 network scenario create a huge
    > broadcast domain? Whereas using 2 networks would reduce this broadcast
    > domain?
    >
    > 4. Is it safe to say that if using the same switch and same network,
    > the servers will be using more layer two type communication, rather
    > than layer 3? Because the way I understand these Windows based
    > systems, they use the MAC addresses to communicate with each other if
    > on the same network. But if communicates spans networks, they will use
    > IP, which is layer 3.
    >
    >
    > Any insight would be helpful. Thanks in advance!
    >
    > John B.
    >


    Consider giving your application and database servers two network cards.
    One for communication between application and database servers only and the
    other for front end client traffic and and administrative/management
    traffic. This allows you to provide an isolated vlan/network for
    application server-to-database traffic.

    BernieM
     
    BernieM, Dec 9, 2006
    #3
  4. stephen Guest

    "Walter Roberson" <> wrote in message
    news:AfCeh.456848$R63.213581@pd7urf1no...
    > In article <>,
    > <> wrote:
    >
    > >I have to create an infrastructure where we basically would have
    > >application servers communicating with database servers constantly. I
    > >have to create GigE switch fabric, if you will, and connect all these
    > >Windows based servers to it.

    >
    > >Mind you, I am planning to purchase a C5000 catalyst switch for this,
    > >or maybe a c6500 series would work as well.

    >
    > I wouldn't recommend that, for two reasons:
    >
    > A) the Cat 5000 series is EOS (End of Sale), so you would not be able
    > to buy a new one, would not be able to get support, would not be able
    > to "relicense" a used one so as to have legal use of the software
    > (which is non-transferable), and would not be able to use modern software
    > releases because they don't make them for the Cat 5000 or 5500 anymore.
    >

    http://www.cisco.com/en/US/products/hw/switches/ps679/prod_eol_notice09186a008032d4ae.html
    >
    > B) The 5000 and 5500 series are not well equipped to handle
    > multiple gigabit interfaces at full speed. The backplane bandwidth
    > just isn't there. You can do two full gigabits, but (if my memory
    > is correct) you cannot quite do a third. You can get an 8-port gigabit
    > line card, but it is "oversubscribed" and cannot handle full-out
    > gigabit to all ports even if it all remains on the line cards.
    >
    > Between the above, if you are going simple and flat and don't need
    > much in the way of WAN capabilities (e.g., NAT or firewall features)
    > then it would be much less expensive and much more cost effective to
    > go for a Catalyst 2970 or Catalyst 3750. If you need more advanced
    > features, then you could consider the Catalyst 4500 series, but
    > you cannot get more than about 4 GB/s across the backplanes on those,


    4500 with a recent supervisor (Sup 5) has a switching matrix on the
    processor rather than a bus based backplane.

    AFAIR the bandwdith per slot is 6 Gbps full duplex.

    still not good for lots of GigE connected servers though...

    > so for business crucial systems with more advanced features, you would
    > probably end up in the Catalyst 6500 series.
    >
    >
    > >My questions are:

    >
    > >1. Does it make sense to create 1 network for the app\database servers
    > >or 2 networks to separate the functions?

    >
    > Is this all for in-house access, or are there signficant security concerns
    > due to outside access? If it is all in-house then the general rules
    > are "switching is usually faster than routing" and "each hop adds

    latency".
    > (Note: if it is simple routing without much state inspection or NAT,
    > then the Catalyst 3750 route at the same speed as they switch.)
    > If you start adding security layers, then you have to start thinking
    > along the lines of "If someone outside has access to this device and
    > managed to take control of it, which other devices would they be
    > able to attack directly or be able to exploit 'trust relationships' to?".
    > For security, well-considered isolation is usually better.
    >
    > >2. All servers will be connected to the same catalyst. Will the speed
    > >increase in terms of communication and processing if on the same
    > >network or 2 separate ones.

    >
    > See above in part. In the more general situation, where the number of
    > broadcasts might be high (NETBIOS, ARP, whatever) then isolation would
    > help contain broadcasts and thus reduce network traffic. If you have
    > aren't using that bandwidth anyhow or don't have a lot of broadcasts,
    > then the general rules above are the guide.
    >
    > But I think you should reconsider the "all servers will be connected
    > to the same catalyst". That's not a great idea from a security standpoint,
    > but even if you have no applicable security concerns, you need to consider
    > that this is obviously business critical for the organization and so
    > the failure of that single catalyst (or the need for reconfiguration
    > or the need for software updates or preventative maintaince)
    > would wipe out your organization's data flow. For business critical
    > data flows, "Don't put all your eggs in one basket" -- and read some
    > of the white papers on Vincent C. Jones' web site,
    > networkingunlimited.com
    >
    >
    > >3. Since they are Windows based systems, which we all know to be very
    > >chatty on the network, would the 1 network scenario create a huge
    > >broadcast domain? Whereas using 2 networks would reduce this broadcast
    > >domain?

    >
    > Windows does not have to imply "chatty on the network". Turn off
    > the broadcast NETBIOS, and consider using the LDAP based domain
    > registries.
    >
    > >4. Is it safe to say that if using the same switch and same network,
    > >the servers will be using more layer two type communication, rather
    > >than layer 3? Because the way I understand these Windows based
    > >systems, they use the MAC addresses to communicate with each other if
    > >on the same network. But if communicates spans networks, they will use
    > >IP, which is layer 3.

    >
    > True if you are selective about your facts and interpretations. For
    > a more complete description, please see one of my previous
    > postings,
    > http://groups.google.ca/group/comp.dcom.sys.cisco/msg/a83c87f45ca0fbc1
    > (to which I would add that some layer 3 switches now handle
    > the BGP routing protocol.)

    --
    Regards

    - replace xyz with ntl
     
    stephen, Dec 10, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    1,254
  2. Echevil
    Replies:
    4
    Views:
    2,794
    pinoywebdev
    Apr 1, 2011
  3. Replies:
    4
    Views:
    1,464
    Trendkill
    Aug 29, 2008
  4. Giuen
    Replies:
    0
    Views:
    1,179
    Giuen
    Sep 12, 2008
  5. swagat Barman
    Replies:
    0
    Views:
    1,253
    swagat Barman
    Oct 22, 2010
Loading...

Share This Page