Back to back vpc or VXLAN for DCI?

rohandec1980 · ‎04-05-2020

Hi All

A customer has 2 data centres with active firewall in one DC and standby firewall in second DC. The firewall connects to internet through a pair of Nexus 9ks in vpc. The firewall connects to a WAN routers through a separate pair of Nexus 9k in vpc.

There is a WAN router in each DC and an Internet router in each DC.

We need to extend a layer 2 section between the firewall and the WAN layer so that firewall can build routing neighborship with both WAN routers.

We need to extend a layer 2 section between the firewall and the Internet layer so that firewall can build routing neighborship with both Internet routers.

How can i extend layer 2 between the two DCs? Would a back to back VPC be a better option or VXLAN?

If using back to back VPC between the DC and using 2 links, how does loop prevention work?

Please find a pic of the sample topology that i am looking for.

As shown i need to extend Internet connection between [Nexus9k-1, Nexus9k-2, Nexus 9k-5, Nexus9k-6].

and so that i can run HSRP between the firewall and run a static route.

I need to extend WAN connection between [Nexus9k-3, Nexus9k-4, Nexus 9k-7, Nexus9k-6] so that the WAN routers can run routing protocol with the active firewall.

Regards

Rohan

Georg Pauwen · ‎04-06-2020

Hello,

how are both data centers currently connected ?

rohandec1980 · ‎04-06-2020

Hi Georg

These are not connected at the moment, they are not sharing the Internet and WAN links. I am looking for options to connect them..

Regards

Dattaram

ngkin2010 · ‎04-06-2020

Hi,

It depends on the DC is active-active or active-passive. Imagine if your VXLAN tunnel / VPC circuits are down, you will run into a dual active situation. Please review the impact analysis during dual active scenario:
- Duplicated subnet in both DC; Will it cause any service interruption?
- Any duplicated public address subnet in both DC's edge; will it cause any service interruption?
- Either DC will communicate with its own gateway and DC2 is just a passive-site, so no interruption during dual active scenario?

With the impact analysis, you do know how important is the L2 cross site connectivity.

In my opinion, the availability/reliability of VXLAN tunnel is less than 2x of point-to-point circuits. So, I would prefer the latter option if you don't want the dual active scenario.

For the loop prevention, you could either bundle the circuits with LACP, or simply RSTP will work too.

rohandec1980 · ‎04-06-2020

Thanks ngkin

The data centres are in an active passive fashion. The split active will be taken care of network advertisements. BGP running from WAN routers to WAN and from Internet routers to the internet to make sure the active data centre is preferred.

The problem with point to point is how can i extend the single circuit to the vpc devices? And what about a single point of failure when the device terminating the DCI fails.

Regards

Rohan

ngkin2010 · ‎04-06-2020

Hi,

Do you mean you have only 1 single across site circuit? I think you should have at least two to deal with the single point of failure.

btw, please see if you find this document is useful.

Ref: https://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-switches/118934-configure-nx7k-00.html