+------------+ | | | 2130 FW | +--------+ DC Split +----------+ | | | | | +------------+ | | | | | +----+---+ +-----+--+ | DC A | | DC B | | SW #1 +----------------------+ SW #1 | +----+---+ +----+---+ | | | | | | | | +----+---+ +----+---+ | DC A | | DC B | | SW #2 +----------------------+ SW #2 | +--------+ +--------+ In my 2130 FWs, I have one physically at DC A and one at DC B in an HA pair (Yes splitting between DC's is bad but hey, gotta work with what I can).
In my design, it's basically "Router on a stick with some Layer 3". Access layer switches have some items split into vrf's and those access switches are routed via OSPF back to the nearest DC A or B SW. DC A/B SW #1 then connect to the active 2130. Servers and services are then put as a gateway and advertised on the 2130, which then is trunked out another VLAN out the 2130 to the appropriate server or into the VM hosts for layer 2 in the DC. Both of these routed and service VLANs occur over the same 20Gbps ether channel.
The issue I'm running into seems to be if the 2130 in DC A is online, I can't access servers while having a valid route from my access layer switch, but the 2130 can. If I shut the DC A SW #1 OSPF peer, everything will then go to DC B SW #1 and back to the 2130 DC A operating as normal. Failover the 2130's and the reverse becomes true.
Am I hitting some firepower limitation that should be obvious in front of my face with these occurring on the same physical interfaces?
No comments:
Post a Comment