Hi folks,
I am reading up on some design documents in order to cater for Active/Active DCs model, which relies heavily on leaf/spine fabrics with MP-BGP EVPN as a control plane overlay (and VXLAN as data plane). The idea is to span L2 when needed, over IP fabric, without actually spanning VLANs across DCs.
There is an idea for advertising host routes (/32 and /128) into IGP and/or BGP peering with the border gateway, in order for better control of the ingress traffic. However, most guide just mentions the concept but without the actual consideration for real-world device performance.
I am thinking of a design where my border leafs at each DC would peer BGP with perimeter firewalls, since with BGP I can use lots of attributes for better control and conquer. The perimeter firewalls then can advertise summary routes if needed. IGP is giving me quite a headache in calculating costs, and there are still cases that I am concerned with asymmetric routing (since these are all stateful firewalls).
So, have you ever thought of or designed your data centres in such way, and do you have any experience to share with this poor guy? Do you have performance and convergence issues with BGP running on firewalls?
P.s: Please bear in mind that when I refer to those perimeter firewalls, I did not limit it to Internet DMZ firewalls only, but to a modular design where between each module (WAN-to-ServerFarm, HO-to-ServerFarm) would have different firewalls in between.
No comments:
Post a Comment