We have a primary and backup data center with Nexus 7K/9K switching for L2 and L3. Currently there are several (dozen) Vlans trunked between the two data centers, but as you might expect we have had Spanning-Tree issues which then impact both data centers. To better isolate the two data centers we are implementing OTV via redundant ASR routers. Currently there is a failover ASA-5585 pair for Internet and DMZ access, with the active firewall in the primary data center and the standby firewall in the backup data center.
I have some concerns about the ASAs functioning correctly with this arrangement. The DMZ Vlan will only have an active gateway IP address in the primary data center normally, and OTV normally has an active default gateway for a given vlan in each data center. I'm also concerned about an ASA failover not working correctly over OTV. I looked into converting to ASA clustering, but we can't do a port-channel between data centers for L2 clustering and we would have to add an L3 device to the DMZ to do L3 clustering, so clustering doesn't seem to work.
I am a pushing for using OTV to extend the internal Vlans only, and to use separate firewalls, DMZs and public IP addresses at each data center and using F5 LTM/GTM functionality to handle failover between the two, but that means purchasing some additional hardware (another pair of firewalls, and at least a pair of GTMs)
Has anyone gone down this road, and come up with any good solutions? Also has anyone ever done OTV with an ASA failover pair, and does it work?
This looks like for me more of design issue, You need to understand unicast and multicast here.
Quick question what is the need of OTV in your organisation ?
Understood, and agreed. The push to OTV is being driven because they have several Vlans which host servers in both the primary and DR data centers. Currently they simply use HSRP and only have a default gateway active in one data center at a time, but traffic routing and spanning-tree issues have caused them to consider moving away from Vlans extended via 802.1q trunks, to OTV. I am not a fan of trying to do ASA failover between data centers. I prefer to have a seperate failover pair for each data center and then use different layer-3 addressing for the public and DMZ segments in each data center, but the customer didn't budget for another pair of firewalls, and want me to see if there is a way to leave the firewalls as they are (with the primary ASA in the primary DC, and failover ASA in the DR DC). So I thought I would see if anyone has an experience trying this. I'm skeptical that it will even work, but I thought I would ask and see.
If we have to we can leave the Vlans that support the ASAs on the existing 802.1q trunks, but I am hoping to convert their current 802.1q trunks to point-to-point routed connections, so the Spanning-Tree domains are isolated. But we might have to wait until they can get budget for another pair of firewalls.