Disaster Recovery?

Answered Question
Nov 10th, 2008
User Badges:
  • Purple, 4500 points or more

All,


I have a situation that we're trying to figure out. What's been requested is that we have a way of mirroring our VM servers from our corporate site to the DR site. They want to keep the same subnets that we have at corporate, and be able to use these at the DR site.


I've thought about L2TPv3, but that's not going to help with the subnets (your thoughts?). I believe this is going to be impossible to do. How do you handle remote site DR?


--John

Correct Answer by Jon Marshall about 8 years 7 months ago

Okay, here is what you could do.


You could address the servers in your DR site as 192.168.1.0. For the replication you could NAT the DR servers to 192.168.2.0 so the DC servers could access them - note you would need to make sure that NAT does not break the replication.


Then you advertise out the 192.168.1.0/24 network from both the DC and the DR site. But you make sure that you use a BGP MED so that in ordinary operation all traffic for 192.168.1.0 would go to the DC servers. If the DC connection failed then the remote sites would then route to the DR site using the same 192.168.1.x addresses.


I'm not trying to make this sound easy as it would need testing and you also have to decide whether you want to failover automatically if the DC link goes down ie. what if there is just a short blip and you have fallen over to the DR - this can create more problems than it solves.


So sometimes automatic DR is not what is needed. It really does depend on the amount of downtime the client can handle.


GSS is a cleaner solution but if all the clients use IP addresses to access the servers then it is very little use to you.


The other thing is what are you trying to DR for - ie. the above in terms of BGP only works for a DC site failure whereas the GSS can handle individual server failures.


As you can probably see this is a huge subject :-)


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Mon, 11/10/2008 - 13:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Not sure what youy mean by using the same subnets at DR site. How are you going to route to the same subnets being advertised out of 2 separate sites ?


When you say they want to be able to us them do you mean in normal production or just be able to access them to apply updates etc ?


Jon

John Blakley Mon, 11/10/2008 - 13:22
User Badges:
  • Purple, 4500 points or more

Well, this is in line with my other L2 tunneling question a few weeks ago. I explained to them that we wouldn't be able to route traffic outbound to the other side because it's going to look for hosts on this subnet.


Now that being said, the ultimate goal is to be able to immediately fall over to the other site without any address changes. I'm not sure that's going to be possible. We don't NAT our traffic at all; our network is all IPFR. We route using BGP, and I'd have to contact our provider to have them point all traffic to our DR site, but the subnet at the DR site is different from here (of course). They want to make our main site and our DR site, more or less, a flat network. I'd have to create more addresses (currently we're on a class c scheme) in order to make this work and have enough addresses to go over the line.


More information on the connection is that we have a fiber connection from us to the provider into their fiber switch. They have a connection from their fiber switch to our DR. Apparently they only allow 25 mac addresses across that link without additional charge. If there were some sort of natting for mac addresses, I would have hoped to be able to configure our point-to-point router with router on a stick and set the servers up in a certain vlan, expand the subnet, and then transfer the data to the other site. Although, the addresses for each host is still going to change. I don't know how people handle a hot site.


Thanks Jon!!!!


John

Jon Marshall Mon, 11/10/2008 - 13:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Not sure what you mean by this -


"We don't NAT our traffic at all; our network is all IPFR"


what is IPFR.


Anyway, that aside, don't forget that you can advertise the same subnet via BGP from different sites with a MED so that if your primary DC is up these routes are always favoured over the DR site. But that is a very high-level comment. A lot depends on how your BGP works and the topology of your network.


Bear in mind that to access these servers while the DC servers are up you can always NAT them and advertise the Natted subnet out of the DR site. I mean access in terms of admin on the servers not normal user traffic.


The other alternative is something like the GSS (Global Site Selector). This in effect allows you to have the same URL/name etc. pointing to the two different addresses ie. the one in your DC and the one in DR. If the DC one goes down the GSS can redirect to the DR one. You don't need to use the same IP address. But obviously this relies on the application using DNS names and not hardcoded IP addresses.


Jon

John Blakley Mon, 11/10/2008 - 13:48
User Badges:
  • Purple, 4500 points or more

Jon,


IPFR is IP Frame Relay. It runs through our provider, and they route the traffic for us. All of our addressing is private and everyone gets to the internet through our corporate office.


The best way for me to describe my topology is like hub and spoke, but our provider is the hub. If we were to go down, all of the other locations wouldn't be able to get to anything. Is GSS a Cisco thing, or is that more server related? I'm not sure routing with BGP is going to work because I can't get my same subnet over to the other site (that I'm aware of). Currently the servers are on 192.168.1.0/24 and at the DR site they're 192.168.2.0/24. The only thing I know to do if our site went down is to set up natting for that subnet (192.168.2.0 -- out as 192.168.1.0) and static nat everything back in. Is that what you mean?


--John

Jon Marshall Mon, 11/10/2008 - 13:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Well you could do that ie. static nat all 192.168.2.0 as 192.168.1.0 addresses.


Not sure what you mean by "I can't get my same subnet over to the other site". If you are using BGP then you just advertise the 192.168.1.0 subnet from your DR site (with a MED of course that means the DC is preferential). You need a route in the routing table in your DR site so the BGP network will be advertised out but that is easy enough.


GSS is a Cisco bit of kit. It basically acts as an authorative DNS name server but it has more intelligence than a normal DNS server. It intergrates well with Cisco load-balancing devices ie. CSS and CSM/ACE modules.


Jon



John Blakley Mon, 11/10/2008 - 14:00
User Badges:
  • Purple, 4500 points or more

I was strictly talking about the same subnet from the servers perspective. I can't transfer my same IPs to the DR site, unless you know of a way for me to do that. :-)


The original request from management was that we have an exact mirror of OSs, IPs, etc., at the DR site, and I'm just not sure that's possible, and if it is, I have no clue how to configure that. :-)


I'll have to look into GSS, it sounds promising.


--John

Jon Marshall Mon, 11/10/2008 - 14:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Do you use BGP to advetise the subnets from your sites to your other sites ?


Jon

John Blakley Mon, 11/10/2008 - 14:08
User Badges:
  • Purple, 4500 points or more

Yes we do. It's very basic though. Here's what I'm seeing:


We have 192.168.1.0 at corporate. All servers are from 192.168.1.2 - .254.


They replicate across the fiber to 192.168.2.0 to servers at the DR site that are addressed from 192.168.2.2 - .254.


When remote sites hit the application servers currently, they are set up as hardcoded (I think) addresses to the 192.168.1.0/24 addresses.


If the corporate site goes down, they will all have to be fixed to either go to the 192.168.2.0 DR site, or I'll have to NAT out as the 192.168.1.0.


If I have to NAT as 192.168.1.0, how will BGP know where to send the 192.168.1.0 traffic back? Do I set a network in the bgp process on the 192.168.2.0 router for the 192.168.1.0 subnet?


--John

Correct Answer
Jon Marshall Mon, 11/10/2008 - 14:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Okay, here is what you could do.


You could address the servers in your DR site as 192.168.1.0. For the replication you could NAT the DR servers to 192.168.2.0 so the DC servers could access them - note you would need to make sure that NAT does not break the replication.


Then you advertise out the 192.168.1.0/24 network from both the DC and the DR site. But you make sure that you use a BGP MED so that in ordinary operation all traffic for 192.168.1.0 would go to the DC servers. If the DC connection failed then the remote sites would then route to the DR site using the same 192.168.1.x addresses.


I'm not trying to make this sound easy as it would need testing and you also have to decide whether you want to failover automatically if the DC link goes down ie. what if there is just a short blip and you have fallen over to the DR - this can create more problems than it solves.


So sometimes automatic DR is not what is needed. It really does depend on the amount of downtime the client can handle.


GSS is a cleaner solution but if all the clients use IP addresses to access the servers then it is very little use to you.


The other thing is what are you trying to DR for - ie. the above in terms of BGP only works for a DC site failure whereas the GSS can handle individual server failures.


As you can probably see this is a huge subject :-)


Jon

John Blakley Mon, 11/10/2008 - 14:28
User Badges:
  • Purple, 4500 points or more

Thanks Jon. What type of resources would you suggest that I look into for this? I'm not even the server guy :-)


--John

Jon Marshall Mon, 11/10/2008 - 14:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


I know how that feels, seems like the network guys always end up doing the grey areas that everyone else disowns. Can count the number of times that has happened to me :-)


This is a very good start - it's a Cisco design doc on Business Continuance which addresses a lot of the issues you are facing -


http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/dcstslt.html


I'll help wherever i can :-)


Jon

Jon Marshall Mon, 11/10/2008 - 14:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

deleted

Eric Kenny Sat, 05/02/2009 - 18:50
User Badges:

I know this is an old thread but I figured I would throw in my 2 cents...


We are trying to do the exact same thing and are looking into the Conditional Advertisement Feature of BGP.


http://www.google.com/url?sa=t&source=web&ct=res&cd=1&url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Ftech%2Ftk365%2Ftechnologies_configuration_example09186a0080094309.shtml&ei=dwb9SfXGFMGFtgfDmMCSDA&usg=AFQjCNG9KJ1LFUVcwsrAkzitbQ80QMhMng

Actions

This Discussion