Data centers are an integral element in supporting distributed client/server computing. Data centers enable, the use of powerful applications for the exchange of information and transaction processing and are critical to the success of modern business. A typical n-tier data center uses multiple physical devices. These devices, shown in FIG. 1, may include a firewall 10 that provides access security for a server farm having web servers 11 and 12, a Layer 3 switch 13 that performs routing functions and a content switch 14 to load balance traffic to web servers 11 and 12. Each of the web servers 11 and 12 may have dual network interface cards for redundancy reasons or may be further connected to a backend network to communicate with a tier of application servers 19 and 20 through switches 15 and 16, a second tier of firewalls 17 and a content switch 18. Other servers, such as mail servers, file servers, DNS servers, streaming servers or servers directed to other specific tasks may be included in the data center as is well understood in the art.
Application servers 19 and 20 are further connected to another backend network through switches 21 and 24, another tier of firewalls 22 and a content switch 23 to a tier of database servers 25 and 26.
One problem with the topology of the n-tier data center is that it requires too many physical devices, is expensive to set up and operate and is difficult to manage. Thus setting up an n-tier data center to service requests from a large number of users is not only expensive but also difficult to maintain. What is needed is a simplified data center topology that reduced the number of physical devices, is inexpensive to set up and easy to maintain.
To address this need, an embodiment of a prior art data center is shown in FIG. 2 with a simplified topology. In this prior art embodiment, a firewall eliminates the need for a separate physical firewall device at more than one tier. Thus, as shown in FIG. 2, a single virtual firewall 28 interfaces a plurality of content switches 29-31, web servers 32, application servers 33 and database servers 34 to Layer 3 switch 27. It is important to note that layer 3 switch 27 also replaces the multiple switches 15, 16, 21 and 24 required in figure one. The layer 3 switch provide both connectivity for all the servers as well as the logical separation between the different types of servers, web, application and data-base, through the use of Virtual Local Area Networks or VLANs. VLANs 35-37 couple the servers 32, 33 and 34, and the respective content switches 29-31 to firewall 28. Traffic from a server, such as one web server 32 to a database server 34 will pass through firewall 28 to be routed to database server 34 by switch 27. The traffic must pass through firewall 28 a second time before reaching database servers 34 thereby providing secure communication between servers coupled to different VLANs. While this embodiment reduces the number of devices, it is still expensive to set up and maintain. Thus, by replacing the multiple firewalls 10, 17, and 22 shown in FIG. 1 with a single firewall 28, the data center topology in FIG. 2 provides the same functionality but with considerably fewer physical devices because of the elimination of switches 15, 16, 21 and 24. Layer 3 switch 27 in FIGS. 2 and 3 and the remaining figures is also abstracted to provide a simplified view of the layer 2 connectivity for the server farm tiers depicted in FIG. 1, in addition to the layer 3 routing functions.
In another data center topology, using the single firewall 28 coupled by a content switch reduces the number of physical devices. By tightly linking firewall 28 with content switch 38 operating in bridge mode, further simplification is achieved. The embodiment shown in FIG. 3 affords further reduction in the number of physical devices because content switch 38 and firewall 28 are mounted in one common chassis 39 as two service blades. In FIG. 3, content switch 38 replaces the content switching instances 29, 30 and 31 shown in FIG. 2. In this embodiment, firewall 28 and content switch 38 perform the work of up to ten physical devices compared to the topology shown in FIG. 1. While the topology shown in FIG. 3 is greatly simplified, the transfer of traffic between the content switch, firewall and router is not easily configured. Further, the firewall does not preserve traffic segmentation and it must still perform some routing functions. Similarly, the content switch must also perform some routing functions in addition to its load balancing functions, which is undesirable.
To overcome these disadvantages of the prior art data center topology, a topology in accordance with the present invention efficiently routes traffic on internal sub-nets as well as traffic routed between a sub-net and an outside network. The data center topology employs layer 7 and layer 4 services on a common chassis or platform to provide routing, load balancing and firewall services to simplify data center topology. Advantageously, the number of devices necessary to implement the data center is reduced and configuration is simplified.
The foregoing and additional features and advantages of this invention will become apparent from the detailed description and review of the associated drawing figures that follow.