Hi all good folks of Reddit, hope everyone are good!
I am not a networking engineer by trade, much more on the Infrastructure and some security before networking. To please bear with me and excuse if I am asking something stupid.
First a little bit of background information on the situation.
We have a VPLS network with our ISP and with that a data centre in London and a glorified server room at a remote site. we use this server room as DR which for us means we have backup replication to it and able to switch over VMs to that site should the main site go down.
Both the datacentre and the remote site is on the VPLS network with our ISP.
The remote site has a router from our ISP and a couple of Dell S4148T-ON switches.
The data centre has a Fortigate firewall.
Our company wide ingress and egress to/from the internet is via the data centre in London.
The VPLS network is using OSPF which is something our ISP looks after.
#### The addition to the setup
My IT director decided to rent a few cabs at a different data centre because rack space was cheaper. This new data centre is located in Sheffield and is NOT part of the VPLS network.
There is a IPSEC VPN between the 2 data centres and there is a 1 Gbps point-2point between the remote site and the new Sheffield data centre. That 1 Gbps p2p connection was originally meant for just carrying backup replication and VM replication traffic between Sheffield and the remote site.
The new data centre in Sheffield also has a FortiGate firewall and a couple of Dell S4148T-ON switches.
The provider of the data centre are the ones providing that 1 Gbps link between the remote site and the new Sheffield data centre site.
Moving VM's between sites but keeping same network range
When we first set up we had our production server network on 192.168.80.0/24 in Sheffield data centre and when they failed over to the remote site during DR test or a real DR scenario we would change the IP address network to 192.168.90.0/24.
The change in IP address network was annoying me a bit because we have a couple of systems that has hardcoded an IP address, which means during a failover i would have to be present and manually go and update the system/application to use a new IP address.
As an example we could say that we have a web proxy that looks at 192.168.80.10 as a backend web server IP and during a failover that web server would have its IP changed to 10.90.90.10 which means the web proxy setup would break until i logged in and corrected it.
So I wondered if it would be a good idea to say why not expand the 192.168.80.0/24 network to cover both Sheffield data centre and the Remote Site using the 1 GBps link. That link was heavily underutilised and could carry any VLAN i wanted to.
The problem
So i was able to add that VLAN for 192.168.80.0/24 to the 1 Gbps connection and I could put VM's currently running in the remote site on that network and it would all be working.
The first problem was of course now that a DR version of a VM sat on 192.168.80.0/24 in the remote site still had the gateway IP of the firewall in the Sheffield data centre and I could not add a 2nd default gateway. So I would either have to change the default gateway when a VM failed over to the remote site or manually go and update the default gateway on all failed over VMs. Manually changing the gateway is no better than the situation i tried to prevent (manual labour during a failover).
The other thing i wanted to see if i could improve was in case the IPSEC VPN between the 2 data centres went down. how did other remote sites now get to the servers still running in Sheffield or in the remote DR site. The firewall in London would state that in order to get to 192.168.80.0/24 you got to go via the IPSEC VPN to the Sheffield datacentre.
So i thought perhaps if we can re-distribute the networks to say if the IPSEC VPN is down go to the router at the remote DR site and it can send the traffic up via the 1 GBps link.
This does work but it is a bit clunky that when i add a new network to the Sheffield DC site i have to re-distribute that network on the OSPF to say go via the IPsec VPN between the DC sites and otherwise go back to the remote DR site. and then get hold of our ISP and ask them to make their changes.
What I would like to hear from you all
Is it a bad idea to expand a subnet between main site and DR site just to avoid server re-ip addressing? ?? I am using DNS whereever i can, but sometimes that is not possible.
If the IPSEC VPN between the data centres are down, Is it worth it to pump traffic back to the remote DR site and then use the 1 GBps link? This bit does seem to be the mostly clunky "fix" i have come up with :)
The other thing i was thinking of is that if i give a VLAN an IP on the switch at the remote DR site. i believe the dell switch will route traffic without going to the actual router at the site. is that correct?
Thx for reading if you are still here :)
No comments:
Post a Comment