[c-nsp] OER + asymmetric routing issues?

Nick Hilliard nick at foobar.org
Mon Mar 7 10:57:04 EST 2011


On 07/03/2011 15:06, Federico Cossu wrote:
> sorry, to be true it's not so classical ;))
> yes that's what we are planning, we can avoid using pfr/oer keeping
> flows aligned in a simpler/manual way, but having pfr would be nice.
> The scenario with 2 fw chassis is well documented, when having only 2
> firewall chassis to be configured in an active/active inter-dc
> scenario. it is not yet decided, but we'll have 2 clusters each one
> into a datacenter where each datacenter will peer with a different
> internet isp.

Seriously, forget about flows being symmetric.  This is not how the 
internet works.  If you design your network like this, you will end up with 
horrible breakage.

Also, don't split up your firewall clusters between data centres.  This 
implies that you're also planning to split your layer 2 domains between 
different data centres, and this is not a good design point.  What happens 
if your network is partitioned in two?  You'll end up blackholing lots of 
traffic if there's a breakage in-between.

Bear in mind that complicated network configurations cause more reliability 
problems than simple ones.  There are two reasons for this: 1. more failure 
modes and 2. more difficult to understand, causing more pilot error.  If I 
were in your position, I would keep your internal firewalled zones inside 
each data centre, and not let them span the two. This will solve your 
symmetric routing concerns.

If you're worried about a data centre disappearing, then you should 
engineer your network differently (e.g. using DNS based load balancers, 
CDNs, etc).

Nick




More information about the cisco-nsp mailing list