Hi,
I need to replace our current Internet Edge.
We currently have 2 datacenters.
In DC1, we have:
- Peering with multiple ISPs accepting only directly connected routes and defaults(1G each). Announcing our prefixes equally among peers.
- 2 ASRs
- 2 Juniper SSG
- iBGP between ASRs and HSRP on the inside interfaces
- SSGs in Active/Passive with default routes towards the HSRP address on ASRs.
- SSG1(active) connects to Core-1 and SSG2(passive) connects to Core-2.
- Cores have a static default towards the SSG inside IP. Static default is redistributed into OSPF.
DC2 has :
- 1 ISP (1G), accepting default only. Announcing our prefixes using AS Path prepend.
- Single SRX1500
Manual internet Failover from DC1 to DC2 by adding default route (manually) to DC2 cores if DC1 went down and manually start advertising our prefixes to this ISP.
ASRs and SSG need replacing.
We want to upgrade to 10G ISP links, and provide some form of automated failover between DC1 and DC2. We do not want Firewalls in HA between sites...DC1 internet should be primary unless of catostrophic failure in DC1.
I'm looking at MX204 as internet routers and SRX 4100 at both DC1/DC2. (dont need next-gen, just simple imix 10g throughput (no VPN or any other inspection/ALG etc). Each SRX having a L3 link into each core, perhaps running OSPF.
Im aware that SRX4100 have single REs so cant use GRES and Full Failover requires the routing daemon to restart/start so theres scope for non-hitless failover if using dynamic routing protocols on the SRX.
Do you have any suggestions regards routing protocols between routers/firewalls and firewalls/cores?
And how to manage failover to DC2?
We have no dedicated links to iBGP between DC1 and DC2 edge routers so would need to use VXLAN via the inline DC-DC L3 links.
I would like to keep the DC1 and DC2 edges as seperate as possible, if possible.
No comments:
Post a Comment