Guidance on how to connect to an anycast HA environment

edward29 · ‎07-25-2020

We have recently moved into a new co-location site from another site with our Colo provider. They have mentioned they are now providing an anycast connection ("two ports providing identical internet uplinks but no HSRP or VRRP" Nexus 9000) out of the cabinet to the "internet".

At present one of the two anycast connections from the Colo Provider is not-connected as this "can cause a loop", and in cases of network outage on the active connection we must manually move the patch to restore connectivity. Not an ideal situation.

What would be the best practice to utilize the HA nature of the anycast connection in this type of configuration?

Keeping in mind that we would also like to be able to add an ASA in the near future to remove the SPOF of the current ASA.

Note 1: A.B.C.0/28 and X.Y.Z.0/24 are public IP address - not private ip address spaces (10.x, etc..)

Note 2: The IP gateway (to the internet) for the Colo Providers Anycast connection is A.B.C.9.

Note 3: The IP gateway (from the internet) for the X.Y.Z.0/24 network is A.B.C.10 (interface "outside" on the ASA)

Note 4: Our network (X.Y.Z.0/24) is advertised by the Colo Provider

Sergiu.Daniluk · ‎08-06-2020

Hi @edward29

I have some questions reg the topology you drew, as there are a couple of things which are not clear to me:

+ how is the phy connection between ASA and Colo provider? Are those two vertical lines two switches? What switches are these ones?

+ the nexus 9k switchs you mention about, are these the provider's switches? Are they configured in vPC?

+ how do you plan to configure the two ASAs? Active-Active or Active-Standby?

Stay safe,

Sergiu

edward29 · ‎08-07-2020

Hello Sergiu, thank you for the followup. in answer to your questions:

+ how is the phy connection between ASA and Colo provider? Are those two vertical lines two switches? What switches are these ones?

The vertical lines are isolated touchdown vlans (outside perimeter) on my pair of switches 37xx; There would be a primary (vlan 8) and secondary (vlan 808) that would be visible to the ASA.
Why plugin the colo connections to a switch? This is to help with adding the capability to SPAN the port (or physically plugin) another IDS or diagnostic device(s) into the traffic on the outside perimeter of the the ASA.
Each touchdown vlan would have connected to it one of the colo providers drops plus a port from the ASA. When the second ASA will be in place it would also be connected to each touchdown vlan via an interface port.
The other drop from the colo provider is presently disconnected and ready in the rack until needed.

+ the nexus 9k switchs you mention about, are these the provider's switches? Are they configured in vPC?

I am not familiar with vPC and I have asked the Colo Provider about the specifics of their setup but their reply is simply that they are providing "Anycast on Nexus 9000 on two identical internet uplinks no HSRP or VRRP."
The two links in the cabinet are from the providers leaf node switches, actual configuration not specified.
This leads me to believe it may be anycast-RP after researching the Nexus 9000 anycast documentation

+ how do you plan to configure the two ASAs? Active-Active or Active-Standby?

At present there is only a single ASA in use. I would like to ensure that HA network capability is available now (even though there there is a SPOF due the single ASA).
There is a plan for a second ASA to be added; I plan to have the failover solution enabled at that time. Either solution A/A or A/S is acceptable. This would be the next evolution