Datacentre Config Help

[Mu5icMan]

I'm new to the datacentre scene so I'm not very clued up how it interconnects with connections in the cab.

I have just bought into a full cab at a local datacentre and they are supplying me with 1 CAT6 cable which will supply my connection to the outside at 10mbps with a block of public IP addresses.

I am now about to buy a layer 3 switch.

My question: On each port of the switch I will be configuring a public IP address for each server as they need to be public facing. For the cable they are supplying for the net connection what do I set it for configuration?

I Hope that makes sense.

[AdamR]

Are they handling the routing for you too? I would guess you need a router if you need your cabinet subnet to talk to the outside world, as a switch will only allow your servers to communicate in the same subnet at layer 3.

You don't need to replace the switch if you already have it. You could get a router with just 2 interfaces, but the router will need to consume one of your public IP addresses in order to talk to your inside subnet.

[Mu5icMan]

I'm not sure if they are handling the routing, I will find out.

In either case that's why I was going to choose a layer 3 instead of 2 as doesn't a layer 3 handle the routing for me?

If they don't route the connection and I choose to have a router wouldn't it consume 2 IP's, the broadcast and the network address?

Ignore above, I'm wrong. It would just consume 1 address. But how then would I push the public addresses through the router, can I get them with NAT turned off?

[WhiteKnight]

Unless I'm missing something you sound like you are overcomplicating the issue.

The cable that runs into your rack most likely goes back to the datacenter router / L3 switch. Meaning your ip range is already routed and all the "complicated stuff" is dealt with. I am going to make a couple of assumptions... so correct me if I'm wrong here:

1) you have been given a range in the format 1.2.3.4/28,
2) One of them has already been allocated as a a gateway (this will be the interface on the datacenters routing hardware.
3) You are hosting several servers on your switch that all need to connect to the internet using one of the supplied IPs.

Your local rack switch doesn't need to do anything clever at all, merely shift packets. A L2 switch would work fine. Just setup your servers with IP, mask and Default gateway (as you would any machine) and you should be good to go.

If you want to have local traffic between the servers that doesnt travel over the public IP range then you could setup a second card and plug that into a vlanned group of ports effectively giving you a private sub network.

[Mu5icMan]

Cheers Whiteknight, that sounds about right and I think I am over complicating it.

If for example I was doing colo or dedicated servers to clients would a different class switch be beneficial then for network in regards to security?

[Deehem]

Yep. Pretty much echoing exactly what WK said.

[WhiteKnight]

Quote:

Originally Posted by Mu5icMan

If for example I was doing colo or dedicated servers to clients would a different class switch be beneficial then for network in regards to security?

Not really. Remember that the IPs you are using are PUBLIC anyway. So anyone can already attack them at a full 10mbit/s (or whatever your current rate is).

The only thing you would protect against is a local attack on other servers on the same switch. Just pick your customers wisely, and have adequate protection on the servers themselves (properly configured firewalls and up to date patching).

[Elkeeed]

A decent hardware firewall usually also routes too. If you just stick client's servers directly on the net with nothing you control in between you are putting yourself in a bit of a compromising position if they (or a trojan) get upto anything they shouldn't.

[WhiteKnight]

You could put something like pfsense in transparent mode in the middle. Then you can filter the traffic but not waste an IP.

[Mu5icMan]

I've just been told by the NOC that the routing is done at my end.

Can someone recommend me a router for this type of setup?

[WhiteKnight]

pfSense can route, while also allowing you to firewall the traffic.

[Mu5icMan]

Thanks WK.

Do you happen to know if pfsense has bind built in just in case I need a dns server?

[Mu5icMan]

I've been reading through the documentation of pfsense.

Am I correct in thinking I will need to disable nat if I want to configure the public IP address on the servers nic?

[Elkeeed]

If all your servers have public IPs then yes. In a more advanced setup you might want to route some addresses but nat others.

[Mu5icMan]

I'm confused now as I've just been told that there is no default gateway available and I will be using pfsense as the gateway.

Everything I've read on pfsense says it needs a default gateway to work.

[Elkeeed]

Sounds like confusion over two meanings of gateway :P There is always one, that's how subnetting works, try asking for the default route? Did you not get this with info about the ip range and subnet mask? Or you could guess at the last ip in your range.

[Mu5icMan]

This is the IP allocation email I received from the NOC: (I'll remove the IP's later just in case google index's them and I end up being a victim of a DDOS attack :P)

I can confirm that your DIA service for cabinet ****** has been configured ready for use as of 00:00 this morning. You have been assigned the following address range:


* xxx.154.56.32/27 (xxx.154.56.32 - xxx.154.56.63)

The first three usable addresses in this range are being used by our Service Provider *******, these are:


* xxx.154.56.33, xxx.154.56.34, xxx.154.56.35

The relevant connection has been patched back to Port 1 of your cabinet presentation. Please keep us informed of your installation dates and don't hesitate to contact the NOC should you require any further assistance.

[WhiteKnight]

You will likely need to setup one of two ways, and they should have supplied relevant information for one of these setups.

Either

A) You have an IP Range and a gateway / default route address

Example: Network=10.10.20.0/24 Route=10.10.20.1
Example: Network=10.20.20.0 Mask=255.255.255.0 Route=10.10.20.1

In this setup, you should not need a "router" as they have supplied an ip range and a network port that will route your traffic appropriately. You can, technically, just put a switch + servers on the end of the cable, setup your servers with 10.10.20.2 - 10.10.20.254 ip addresses with a gateway of 10.10.20.1 and you should be good to go (altho not as secure as you could be).



or

B) You have an IP, mask, and a route/gateway for your router, and a routable IP range to put behind it.

Example: IP=10.10.10.2 Mask=255.255.255.0 Gateway=10.10.10.1 Network=10.10.20.0/24

In this setup you need a router. You have to configure it with the 10.10.10.2 IP on one interface, and a 10.10.20.x ip on another interface. All your devices then sit on the 20.x interface and use your router as their default gateway.

In this instance, your cable likely goes back to a switch first, rather than a router, so your routers IP is one of many in that range attached to the same switch. I guess this is a more cost effective solution for the datacenter so its more likely the way they will be working.

[WhiteKnight]

Quote:

Originally Posted by Mu5icMan

This is the IP allocation email I received from the NOC: (I'll remove the IP's later just in case google index's them and I end up being a victim of a DDOS attack :P)

I would guess that one (or all) of those 3 IPs is a gateway, and the other 2 are backups.

[Mu5icMan]

It's going to be likely that it's the second diagram. From your diagram can I change it to

internets -> core router -> router -> switch -> servers?

If the core router the datacentres equipment and the router my equipment?

I only ask because I can't see the point if I'm managing the cabinet to have more than 1 router unless the client wants to be completely separate from the rest of the cab.

Also, good job on the drawings

Good thing I started demoing pfsense today just in case I need it as a router.

[Mu5icMan]

Got everything sorted in the end.

It was the first diagram. I didn't need any extra's although I will be running pfsense in transparent mode to monitor traffic.