DCI With OTV + F5 SLB where to put the FW and F5 SLB ,

Ibrahim Jamil · ‎08-23-2020

HI Freinds

In DCI solution , with OTV , where to put the FW and F5 SLB ,

thanks

Sergiu.Daniluk · ‎08-23-2020

Keeping in mind that usually in an OTV setup, where you configure FHRP isolation (Ref: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/DCI/whitepaper/DCI3_OTV_Intro/DCI_1.html#wp1220161) you will have a site local gateway.

Meaning that your firewalls will also need to be site-local active. Now, it is your choice if you plan on having two pairs of active/standby, one in each site or just one active/active pair with one node in each site.

Regarding the firewall location in the site, best would be to connect them to AGG VDC where the SVI(GW) are configured. If you have a vPC domain at AGG level, then make sure you connect your FW in vPC fashion. Same details applies to the SLBs.

here is a topology diagram I found with the design suggestion for a local site:

Stay safe,

Sergiu

Ibrahim Jamil · ‎08-24-2020

Hi Sergiu

My Complete server farm accessible from internet lives in DMZ , specialy E-Commerce server for Online shopping wile the DB (Bare Metals server) lives at Inside Network , Kindly Consider both DC Acts as Active/Active

My Question where to put The F5 SLB , aka before INET-FW , after INET-FW and other consideration

Regards

Ibrahim