cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1627
Views
0
Helpful
10
Replies

SD-Access Using LISP Pub/SUB for DataCenter Failover

bclounie
Level 1
Level 1

We are implementing a SD-Access greenfield using LISP Pub/Sub for SD-Access transit.  We have two data centers each with an internet egress point through a firewall located at each site.  Apart from a youtube video (which is good) I have not been able to find additional design recommendations on using LISP Pub/Sub.

What are the recommended designs for using LISP Pub/Sub for failover between two data centers with their respective firewalls ?
The issue being potential asymmetrical traffic flow to the internet.

10 Replies 10

PabMar
Cisco Employee
Cisco Employee

Hello,

Was that by any chance my most recent video?

Border/CP placement doesn't really change with LISP pub/sub.

Are you BGP peering from the DCs out to your ISPs? or are they just providing you with an IP and a default route?

Is there a HA pair of FWs at each DC?, or do you have the active in DC1 and standby in DC2?

Are you planning to use the FWs as the fusion devices or are there devices in between to act as fusion?

I don't see any issues with the borders load-balancing traffic from the LAN towards the upstream firewall. The issue is the return traffic, however with HA FWs, one is active and the other is standby, traffic going out and returning will always go/come back through the same FW.

Regards.

How might the conditions change if the firewalls were clustered, with an FTD 3K, 4K or higher, from the perspective of traffic symmetry?


Hi Anthony,

I'm not a Firewall expert, what I know of clustering is that you bundle 2 or more FPRs to benefit from the convenience of a "single device" from a mgmt perspective and also the increased throughput and redundancy.

It is my understanding, once the FPRs are in a cluster and asymmetric traffic lands on a different member of the cluster, then the traffic is sent to the member that had the originating session for processing via the control link.

With that said, I don't think asymmetric traffic would be an issue in this case.

Regards.

Scott Hodgdon
Cisco Employee
Cisco Employee

Hi Bruce ! Long time . Hope all is well !

Can you provide a diagram of what you are trying to achieve ?

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

bclounie
Level 1
Level 1

Hi Scott,  yes, small world,  things are going well.  Here is a sanitized diagram of the network.  As you will see, not all locations have point-to-point links back to internet egress.  We are planning to use SDA Transit LISP Pub/Sub.  We would like to better understand the controls that LISP Pub/Sub provides us to control the egress to the internet in the case of failures.  It has been challenging to find detailed info on Pub/Sub.Screenshot 2023-01-05 at 9.57.13 AM.png

@bclounie , Would Location 1 be an SD-Access site with a border and control plane, kind of acting as a head-end for the SD-Access Transit environment ?

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Scott, location 1 would be an SD-Access site with BN/CP.  The thought was to have to have one  Transit Control Node (C8300) located in DC1, the second in DC2.  Some further detail. DC1 would be a single site with dual BN/CP, this also applies to Location 1, Location 2, and Location 3.  Location DC2 is large with 8 buildings, each with their own distribution layer and 5 - 8 edge switches each. Given the size of the DC2 location, the plan was to have each building in DC2 be a fabric site with dual BN/CP.

@bclounie , do you have a proposed SDA design diagram as well , showing physical connectivity ? Generally speaking, in SD-Access Transit environments with many sites we recommend a single SDA hub site that is the single point of exit from the SD-Access Transit environment. If there are exit points from other sites, things get a little more complicated.

As we have the ability to use border preference (with or without PubSub), you could designate one border as the primary and one as the secondary. Everything we do is flow-based in terms of load-balancing with ECMP, so a single flow should never be split between two separate DCs under normal operating conditions. 

LISP PubSub has more to do with how we communicate between the borders , control planes and transit control planes within the fabric and not about what happens outside the fabric environment. 

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Scott,  I am currently drawing  the proposed SDA design. The customer will have two exit points. DC1 is the primary exit point. DC2 is the secondary exit.  Given that, do we specify the primary border in DC1 and the secondary in DC2 ?   Second question.  Do we place both TCPs in DC1 ?

@bclounie , TCPs just need IP connectivity, so they can be anywhere. I would recommend spreading them out to protect against connectivity issues to a single DC.

If you use LISP PubSub, then you can have up to 4 TCPs.

If you want all traffic to use DC1 as the primary exit point, then you can designate the Border in DC1 with a better priority and all traffic will flow that way unless that border becomes unavailable.

Once I see the proposed SD-Access architecture with SDA roles indicated, I will make any further comments as necessary.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group