Data Centre BGP design

de1denta · ‎01-18-2013

Hi All,

I'm revisiting a design that I looked at a while ago and I need some advise.

See attached diagram.

We have 2 data centres with a connection to two ISPs. We will have our own AS with a /24 block of IP addresses which will be split for each internet link, so 1 /25 out of DC1 and 1 /25 out of DC2. In the event of an internet conenction failure then all networks must be rerouted to the healthy link. We also want to look at possible load sharing.

The edge routers are then connected to the LAN seperated by Cisco ASA firewalls. The LAN switches will be L3 and providing first hop for connected devices.

I have 2 areas that i need help with.

1) In this scenario will I need an iBGP connection between the edge routers? If so, as I dont have a dedicated connection to link the edge routers together, can I peer iBGP between the edge routers via the firewalls and LAN?

2) How can I advertise internet reachability to the LAN? At the moment we have a static route on the LAN switch in each DC pointing to the local ASA. If DC 1 ASA went down how could I reroute traffic to DC2? Would I need to redistribute BGP from the edge routers into an IGP running on the ASAs or can it be more simple than that?

Edison Ortiz · ‎01-18-2013

1) You could setup an iBGP but before doing so, you will need a GRE tunnel between edge routers.

Without a GRE tunnel, all devices in transit will need to have network reachability to the destination.

2) You could run OSPF on the Edge routers, ASA and LAN. Generate a conditional default route from the Edge routers with OSPF based on the existence of a route, or default route.

Regards,

de1denta · ‎01-18-2013

Hi,

Thanks for this. Makes sense.

Regarding point 1, is it common to setup an iBGP connection between edge routers over the internet as well as via the LAN?

2) Are there any security concerns with running OSPF on the firewalls? Is it possible to pass OSPF over the ASA to the LAN or will the firewall prevent this as OSFP needs to be directly connected?

Edison Ortiz · ‎01-18-2013

Yes, having iBGP running between internet edge routers is quite common.

What's is not common is to have internet edge routers sharing the BGP AS between DCs.

In your diagram, you have a link between DCs via the LAN. Can you explain what kind of link is this?

OSPF runs quite well on ASA and I don't see any security concern.

You are correct, OSPF is not a multihop routing protocol so you can't configure OSPF between Edge and LAN without having the ASA configured, unless you create /yet again/ another GRE tunnel

Please remember to rate helpful posts.

de1denta · ‎01-18-2013

Hi,

Ok. Is there any other way to allow IP addresses to failover to another DC without sharing the BGP AS between DCs?

The link is a LES which will be be configured to carry multiple VLANs between DCs. A point-to-point OSPF adjacency will be setup between DCs between SVIs on the switches and a VLAN will be used for failing over applications.

thanks for the advise with this

Edison Ortiz · ‎01-18-2013

You could have the same BGP AS configured on each DC but keep in mind the BGP Loop prevention mechanism within BGP.

If you don't foresee traffic between DCs via the internet, then you can proceed without having iBGP between DCs.

If traffic between DCs is expected via the internet (say, in case the LES fails) then I recommend running different AS on each DC. Even having an iBGP by using the LES, can potentially create routing issues during a LES failure.