My team is required to make dynamic routing working between multiple data centers and I am considering change the static routes to peer BGP to our firewalls. Since the firewall HA pair is currently configured over vPC, I am wondering if peer BGP from the switch to the firewall over vPC is a good idea.
Design Choices:
1. RouterA --- BGP --- SwitchA --- BGP --- FWA
| |
RouterB --- BGP --- SwitchB --- BGP --- FWB
Everything is P2P L3 links and there is no vPC.
Pros:
a. No need to upgrade the switch.
b. We are confident the routing will work.
Cons:
a. Need to move the cables, previously SwitchA to FWB and SwitchB to FWA cables needs to change to SwitchA to FWA and SwitchB to FWB since crisscross connections are no longer needed
b. According to Ciscolive 2016 BRKSEC-2020 Page 109, it is not a good design to minimize firewall failovers.
c. Only half of the ports are utilized
2. RouterA --- BGP over vPC --- SwitchA --- BGP over vPC --- FWA
| x | x
RouterB --- BGP over vPC --- SwitchB --- BGP over vPC --- FWB
Pros:
a. No need to change the cables
b. Good for firewall failover scenarios
c. Utilizes all ports
Cons:
a. Need to upgrade to Release 7
b. Not certain if BGP over vPC is a good idea. The OSPF over vPC post 8 days ago looks very scary.
3. |------------BGP Multihop----------------|
RouterA --- vPC --- SwitchA --- vPC --- FWA
| x | x
RouterB --- vPC --- SwitchB --- vPC --- FWB
|------------BGP Multihop---------------------|
Pros:
a. No need to change the cables
b. No need to upgrade the switches.
c. Good for firewall failover scenarios
d. Utilizes all ports
Cons:
a. The servers connected directly to the switches might take more hops because the switch cannot make routing decision for certain traffic. Depending where the default route is pointed to, certain traffic will be routed to the router then back to the firewall.
No comments:
Post a Comment