cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1292
Views
0
Helpful
9
Replies

Metro ethernet data center connections

Scott_22
Beginner
Beginner

We will be moving our remote site connections from MPLS to MetroE and also adding a MetroE connection between our primary and backup data centers. Because we will be using MetroE, what is the best way to ensure remote site traffic is rerouted from the primary data center to the back up data center should the connection go down? I'm thinking that we could also have the remote sites connect to the backup datacenter and use OSPF throughout the network.In addition to the sites using MetroE, we are also connecting sites via site-to-site VPNs. Saying that, how could we also fail the VPN connections over to the backup datacenter?

9 Replies 9

jmperlewitz
Beginner
Beginner

Hi Scott,

 

It looks like you have multiple remote-sites to your primary data center but not your backup data center.  However, you now have a metroE connection between you data centers.  IMO, it would be best to have redundant links from each of your remote sites to each data center.  I would then create 2 eBGP connections to each data center and use BGP attributes to prefer traffic to your primary data center.  If the circuit at your primary data center ever fails, then you will fail over automatically to your backup data center. 

If you have 2 BGP connections from each remote site to both your data centers, then you no longer need the metroE connection between the data centers, unless you need to sync applications between the data centers.  If that is needed, then you can setup an iBGP peer between the data centers or you can use OSPF as well.

That makes perfect sense. But, how would we do it if we can't get that 2nd MetroE connection from each remote site to the DR? Is the primary site fails and there's not a 2nd MetroE connection than is it still possible to use eBGP?

If the only way to get to the secondary data center is via the primary data center, then you are in trouble if the primary data center fails.

 

I would recommend you keep the metroE connections to your primary datacenter and use DMVPN to connect to your secondary datacenter.  I assume you have internet at the remote sites and at the secondary data center?  If so, DMVPN would be a great solution.  Then you can still run BGP between remote site and both data centers and have fail-over.

You're right, DMVPN would be great, but our remote sites are not cisco. I'm not sure if site-to-site tunnels would work given their overhead and maintenance. Are there any other options?

If DMVPN is not an option, then Site-to-Site will have to suffice.  You can still use BGP.

 

Example:

DC1 (Primary):

int gi0/0

ip address 1.1.1.1 255.255.255.252

!

router bgp 65000

neighbor REMOTE peer-group
neighbor REMOTE remote-as 65001

neighbor 1.1.1.2 peer-group REMOTE

!

DC2 (Backup):

int gi0/0

ip address 2.2.2.1 255.255.255.252

!

router bgp 65000

neighbor REMOTE peer-group
neighbor REMOTE remote-as 65001

neighbor 2.2.2.2 peer-group REMOTE

-----------------------------------------------

REMOTE SITE (if only 1 router):

int gi0/0

desc To Primary DC

ip address 1.1.1.2 255.255.255.252

!

int gi0/1

desc To Backup DC

ip address 2.2.2.2 255.255.255.252

!

router bgp 65001

neighbor DC peer-group
neighbor DC remote-as 65000

neighbor 1.1.1.1 peer-group DC

neighbor 1.1.1.1 peer-group weight 1000

neighbor 2.2.2.1 peer-group DC

 

 

Let me know if you need an example of a remote site with 2 routers and/or if you need an example fo how to engineer inbound traffic as well.

 

 

 

This is beginning to come together. So to determine to best path locally on the remote routers we set the weight, with the highest value being preferred, but what about inbound? Would we use either MED or AS_Path? Then when it comes to deciding how traffic is routed in the data center, we will use iBGP and set a local preference to prefer traffic to leave through the primary DC, and then MED,AS_PATH to also prefer it for inbound traffic?

For inbound, I would use BGP communities.

 

Remote Site:

router bgp 65001

neighbor 1.1.1.1 send-community

neighbor 1.1.1.1 route-map SET-COMM-DC1 out

neighbor 2.2.2.1 send-community

neighbor 2.2.2.1 route-map SET-COMM-DC2 out

!

route-map SET-COMM-DC1 permit 10
set community 101:1

!

route-map SET-COMM-DC2 permit 10
set community 101:2

 

DC config on both DC routers:

router bgp 65000

neighbor REMOTE route-map SET-MED in

!

route-map SET-MED permit 10
match community 1
route-map SET-MED permit 20
match community 2
set metric +5000

I noticed you mentioned the use of MED and communities, why is there a need for both? Also, for our sites that don't have an MPLS connection that use site-to-site tunnels, will they have to have two tunnels now - one for the primary DC and backup DC?

You use BGP communities to tag the traffic that you want to take action on.  Then, based on the Community, you can see the corresponding MED on the remote end.

 

Unless you are using DMVPN, you will have to create separate IPSec tunnels to each data center.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: