Re: L2 Border(s) and same L2 VN

KevinR99 · ‎04-04-2024

Hi

Is it possible to hand off the same L2 VN on multiple borders ? I know it's not recommended to use the Border/CP for this function but I'm just exploring possibilities here. So, for example, I have 2 Borders (either L2 only or Border/CP nodes). I have a L2 VN called, for example DMZ. I then have a channel from each Border to a switch outside my fabric and those 2 switches connect to my HA firewall pair. I want to hand off my DMZ L2 VN to both external switches such that should one of the switches or Borders go down I can still exit the Fabric via the other Border, onto the surviving switch and hit the Firewall DMZ which is my gateway.

I've actually configured the SDA side of this as a test and it seems ok but are there any support limitations for this setup?

Another setup I would like to have would be where I hand off my L3 VN's on a /29 subnet but using the same subnet/vlan of 2 Borders. These again connect to 2 external switches which connect to the firewalls. The Borders would each take an address in the /29 and the firewalls would have one or more addresses in an HA scenario. I'm thinking in this case I would need to advertise a default from my firewalls to the Borders but only the active FW would participate in the routing protocol. Lisp Pub/Sub would then handle where to direct default traffic to exit the fabric. If the full topology is working then both Borders could receive a default from the acctive FW and Lisp Pub/Sub would probably choose one of the Borders as its default exist point. If that Border failed or lost its upstream switch the other Border is the only one with a defauls and Lisp would direct traffic to it.

I think the summarised question here is can I hand off the same L2 VN on two Borders and the same L3 VN on a single subnet across 2 Borders?

Thanks again for any input. K.

Torbjørn · ‎04-04-2024

Having multiple L2 borders for the same L2 VN works technically but it is not supported. See this excerpt from the CVD:

"The traditional network switches can be connected to a single border node with a Layer 2 handoff. A traditional network switch should not be multihomed to multiple border nodes. Dual-homing, however, is support using link aggregation. Multichassis EtherChannel (MEC) is supported to a single border if the traditional network switches are operating in multi-box, single logical-box construct such as a hardware switch stack, Virtual Switching System (VSS), or StackWise Virtual (SVL). Redundancy for the border node itself can be provided through hardware stacking or StackWise Virtual."

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html#Layer2BorderHandoff

As for the layer 3 border handoff, yes you can have a shared subnet where borders are peering to the firewalls. You will however need to configure this manually.

I am not quite sure what you mean in that only one firewall will participate in the routing protocol. Could you elaborate?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

KevinR99 · ‎04-04-2024

Hi,

Thank you for the reply. I suspected that I should only hand off a L2 VN on one Border but I thought if I tried to configure it on multiple Borders DNAC would throw an error. It didn't. However, that doesn't mean it will work and I'll follow the CVD advice on that.

Regarding the firewall issue. I have a couple of 3rd party firewalls in HA and only the active one peers with my SDA Border. If that fails, the other assumes the active address and peers with my Border. Both firewalls do not show as BGP neighbors at the same time.

So with a 2 Border solution only one Border would have an active BGP session to the firewall and receive the firewall's 0.0.0.0 route. Lisp would then direct traffic to that Border and out to the active FW. If that FW fails the BGP session is then established from the now newly active FW to the other Border and Lisp will redirect traffic to that Border. Both Borders and both Firewalls would share the same subnet so I have a L3 handoff on each Border on the same vlan and same subnet.

K.

Torbjørn · ‎04-04-2024

That usecase should work just fine with a shared subnet for the peering networks. You will have to configure it by hand though.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Sylvain_Che · ‎04-05-2024

Hi,

About redundant L2Borders, DNAC allows you to configure same L2Handoff on multiple L2Borders but giving you a warning that you should be careful about potential L2 loops outside the SDA fabric (e.g. on the traditional/DC-side of the Fabric).

If you cannot control the L2 Domain outside the Fabric, to achieve some sort of L2Handoff redundancy, you can think of:

1: Configure L2Handoff on DNAC on both L2Borders

2: Using some EEM scripting, from the L2Border you want to achieve active L2Handoff forwarding, you can monitor via IP SLA the upstream switch/firewall. The other L2Border is "Standby" by manually removing all VLANs from its L2Handoff trunk uplink.

3. When the upstream device fails (or IP SLA fails), via the EEM script, you remove all VLANs from the L2Handoff trunk interface of the Active L2Border. Via a signaling mechanism between both L2Borders, you announce to your "Standby L2Border to preempt L2Handoff traffic. And still via EEM scripting, you allow all VLANs on the original Standby L2Border which would now actively forward L2Handoff traffic.

4. Once the original Active L2Border is able again to reach its upstream device, you do the reverse (if you want to failback to your original active site).

This way you have only one L2Border actively forwarding traffic at a time.

Sylvain.