Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Loadsharing between 2 Datacenters

Hi,

I have been assigned the following challenge: a customer wants to build 2 datacenters and connect these to a L3 backbone. I have attached a (very) simplified network diagram. 

Challenge: The customer wants to span a L2 domain across both DCs and needs to have an Active/Active firewall. This in turn means that the traffic flow needs to be symmetric. Since both firewalls (gateways) and clients in this example are in the same stretched L2 subnet, how do I get the clients in DC1 to primarily use the FW 10.0.0.1 as default gateway, and clients in DC2 using 10.0.0.254 as default gateway. Of course clients need to use DHCP ;)

Possible solution: See attached diagram. However this relies on the additional delay of the DCI to assign different default gateways to clients. e.g. a DHCP request from a client in DC 1 will get the quickest response from a DHCP server in DC1, which assigns 10.0.0.1 as default gateway. The DHCP response from DC 2 (which would assign 10.0.0.254 as deault gateway) would arrive late and ignored by the client.

This does not seem like the perfect solution to me, since we are relying on many factors (e.g. delay may change due to other circumstances). Does anybody have other suggestions?

Thanks in advance!

 

 

 

  • Application Networking
2 REPLIES
New Member

Maybe:keep your DHCP split

Relying on the timing of DHCP offer is not deterministic.

Maybe:

  • keep your DHCP split-brain idea
  • block DHCP offers going out of the DCI link (to the other DC) on both sides
    • this way hosts in DC1 never get .254 as the default gateway, and vice versa.
    • make sure DHCP server has redundancy in each DC1 (e.g. two DHCP servers in each DC)
  • bring the first hop down to the L3 switch the hosts connect to
    • use a routing protocol between the FW's and the switches.
  • Use a FHRP between the two DC access switches
    • two vIP's, .1 and .254.
    • DC1 is active for .1, DC2 is standby
    • DC2 is active for .254, DC1 is standby
    • You could track interfaces, routes, etc. for when to change who is active forwarder.
New Member

Hey,Thanks for your reply!

Hey,

Thanks for your reply! Blocking DHCP on the DCI is a good idea...it should have the result I an looking for. The first hop will need to be the Firewall though, since we have the networks assigned to different security zones. Not the optimum regarding performance, but it will me the more secure approach. I am aware that in a failover scenario e.g. data from DC2 destined for another network in DC2 will traverse the DCI to get routed.

 

Regards

45
Views
4
Helpful
2
Replies
This widget could not be displayed.