Hello, I've a more general design question where I've read several docs but hoping some candid conversation from someone who's actually implementated it could provide better insight.
Scenario:
2 DCs with dedicated DCI and independent ISP connections for internet being fronted by firewalls, think Palo Altos for example.
Wanting to stretch layer 2 to provide a "simplified" mobility solution for applications where redundancy is not built in the app layer. Such as allowing a VM to exist in either location without considering IP or gateways. Also considering a VMware environment where having two vCenters and using SRM between is not an option, or whatever flavor of automated site failover is out there.
This works fine using BGP EVPN and VXLAN to stretch data and control plane relatively safely with arp suppression and so forth. Also, for egress routing using a distributed gateway model with anycast IPs per VTEP seems to work fine, especially within a single DC with one egress/ingress point. I'm not sure how to handle traffic entering the DC once that load is stretched across two or more DCs. How would you avoid VM in DC A exiting DC A but return traffic coming in through DC B?
I've read through some of the drafts for multi site evpn and the use of border gateways in between, but I've only read Cisco white papers in regard to implementation. Is this only a Cisco implemented feature set right now?
I've also read some cases where people will stretch a firewall HA interconnection over VXLAN to maintain state in each site firewall, but that seems risky and prone to split brain scenarios where ultimately you'd be right back in the original problem case of traffic exiting DCA and entering DCB
Overall, would love to hear your thoughts.
No comments:
Post a Comment