[c-nsp] OER + asymmetric routing issues?
Nick Hilliard
nick at foobar.org
Mon Mar 7 10:57:04 EST 2011
On 07/03/2011 15:06, Federico Cossu wrote:
> sorry, to be true it's not so classical ;))
> yes that's what we are planning, we can avoid using pfr/oer keeping
> flows aligned in a simpler/manual way, but having pfr would be nice.
> The scenario with 2 fw chassis is well documented, when having only 2
> firewall chassis to be configured in an active/active inter-dc
> scenario. it is not yet decided, but we'll have 2 clusters each one
> into a datacenter where each datacenter will peer with a different
> internet isp.
Seriously, forget about flows being symmetric. This is not how the
internet works. If you design your network like this, you will end up with
horrible breakage.
Also, don't split up your firewall clusters between data centres. This
implies that you're also planning to split your layer 2 domains between
different data centres, and this is not a good design point. What happens
if your network is partitioned in two? You'll end up blackholing lots of
traffic if there's a breakage in-between.
Bear in mind that complicated network configurations cause more reliability
problems than simple ones. There are two reasons for this: 1. more failure
modes and 2. more difficult to understand, causing more pilot error. If I
were in your position, I would keep your internal firewalled zones inside
each data centre, and not let them span the two. This will solve your
symmetric routing concerns.
If you're worried about a data centre disappearing, then you should
engineer your network differently (e.g. using DNS based load balancers,
CDNs, etc).
Nick
More information about the cisco-nsp
mailing list