We manage the DCs for some of our customers including B, and customer A has router in the same DC so we have BGP peering with them. "A" wants to access the internal server in B's network so we provide the connectivity (and yes due to some regulatory issues we seem to like firewalling stuff:)
However they have a Skype server in the DMZ and now when we advertise the customer B's full network towards A, the traffic towards Skype comes from "internal" interface to customer's B network. And it makes life difficult when we'd have to add the rules on our own firewalls and in the customer's firewalls.
Do you see a better way to do this? Or should I just bite my tongue and configure all the rules :) We've also had problems when some customer's Exchange for example has an internal address, and can see other customer's mail server via direct peering but the other customers Exchange knows only the MX record that has a public IP address (NATted on the other customer's network) and tries to send packets back over the internet.
I'd like to advertise full networks to benefit from the faster inter-DC link instead of going over the internet. Maybe I should take the routes from different customers to internet VRF and then just have all the customers use our internet connectivity to go out? We're not really an ISP per se for we haven't had much experience with this... so far we've managed this by not routing the "public IPs" via those direct peerings but it's difficult to manage and also slower.
Thanks for any ideas!
No comments:
Post a Comment