Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
694
Views
0
Helpful
1
Replies

ISP Resiliency

de1denta
Level 3
Level 3

‎05-23-2016 04:18 AM - edited ‎03-05-2019 04:04 AM

Hi All,

 

We are looking at setting up a DR data centre that will provide internet edge resiliency as follows:

 

1) If the primary site internet connection fails, inbound traffic will flow via the DR data centre and over the iBGP link to the primary site. This will allow stateful firewall flows to be maintained. Outbound traffic takes the same path.

 

2) In the event that the primary site fails completely, inbound and outbound traffic will flow via the DR data centre.

 

Please see attached diagram.

 

We will be using the same ISP for the primary and backup internet connections using a private AS and a provider IP address range. The plan is to connect the ISP links to Cisco 3650 switches running IP services image and configure eBGP sessions to the ISP and iBGP between switches. We will only be receiving a default route from the ISP and announcing our IP address range. We will use local preference to prefer the default route via the primary site. AS path prepending will be used on the DR switch to force inbound traffic via the primary site.

 

Can anyone see any issues with this design?

 

Also we don’t have a dedicated link to establish the iBGP connection. I have heard that its possible to establish a GRE tunnel between the border switches via the internal network. Can anyone see an issue with this approach?

 

 

Labels:
Preview file
33 KB
0 Helpful
1 Reply 1

Milan Butina
Level 1
Level 1

‎05-31-2016 04:49 PM

Hi There,

I think your on the right track, however a few points worth mentioning:

  • If possible I'd recommend using two separate ISP's, if your ISP has an internal issue of some sort your dual site redundancy may be affected. This set up will protect you from local link/device failure at each site but may not protect you from larger issues specific to the ISP.
  • Have you considered internal routing (if applicable)? How will you redistribute the default routes to an interior routing protocol and how will you ensure the default path scenarios are maintained (e.g. modifying costs while redistirbuting internally etc)? 
  • iBGP won't require a direct link (or GRE tunnel) to form a neighbourship, as long as you have a route to get to the iBGP peer address (can be static) and it can talk on TCP port 79 you'll be alright. You may also want to look at next-hop-self 
  • Depending on your Internet bandwidth and requirements it may also be worth considering quality of service parameters/shaping etc and whether the 3650 meets your requirements in that space

Cheers

0 Helpful
Customers Also Viewed These Support Documents