• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 486
  • Last Modified:

Switches required at DR site?

I am planning networking equipment for a DR site that will be connected via a metro Ethernet connection.  My primary site setup has a Cisco ASA router between the ISP and my Layer 3 core switch.  All of my Layer 2 edge switches (representing different VLans) connect to my Layer 3 core switch through a 10gb backbone.  I would assume that because of the Metro Ethernet connection I can connect the DR site as just another Layer 2 edge switch.  In the event of a disaster (one that destroys my main site and network) I will be running all of my VM's from the DR site.  The DR site will have a similar setup with a Cisco ASA connected to my ISP and users will be VPN'ing through the ASA to access the VM's.  

If I lose the connection to the main campus, do I need a Layer 3 switch at the DR site or will a Layer 2 do the trick?  I'm thinking that the DR Layer 2 switch would need to have the VLans required for the servers (both the physical hosts and the VM's) and the VLans required for the Internet traffic to/from the ISP.  Would all of my traffic be able to get to where it needs to go?  Can I configure the default route on the switch to go to the ASA?

Thanks for any help!
1 Solution
I wouldnt use your ASA as a router.

Preferred method would be to have a layer 3 switch.
You don't need a layer 3 switch as site 2 , however I would suggest using one - for the cost difference you then get the option to have more vlans , and/or apply other routing at a later stage, plus spanning out more layer 2 switches.

A metro-Ethernet will work as a Lan Extension , i.e. layer 2. You can run a single lan or multiple vlans over it if you like , however if using separate vtp domains (vlan domains) at each end , then you would need to manage which vlans you wish to allow across the link.
If you only have a layer 2 switch at site 2 , then you will only have either one lan (vlan) effectively , or on the loss of site 1 , no routing to any other vlans on site 2 , and no access to the VM's anyway.

Remember a layer 3 switch is a layer 2 switch , but it routes as well (hence layer 3) , you don't have to use any routing initially.

I personally would mirror site 1 with a core routing layer 3 switch and layer 2 switches 'dangling' off that. This may seem more complicated to start with , but in the long run gives greater flexibility and scalability , plus a better setup site should you have to use it in anger as DR and move PC's , IP phones etc. over to it. Again , you can start with just the one layer 3 switch to begin with , but get the foundations right and the rest becomes easy.
If you use L2, you should be able to use VRRP between the two ASA for the default gateway - so that when the main site blows up, the servers will go out via the DR ASA.

However, with a L3 switch and routing in the DR site (as in main) you will have to use another protocol; for example a default route in BGP or OSPF depending on what your switches (and ASA) supports.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

StreckAuthor Commented:
kzin_xxxx, thank you for your response.  

I think that you and I see how the DR site should be setup similarly.  Follow up question.

Is there any problem with having a core Layer 3 doing routing at the DR site and my core Layer 3 doing routing at the my primary site (these two being connected over Metro E)?  It seems to me that it should work like you said.  I could mirror my DR site to my primary site with the ASA and core routing switch configs.  In theory, that should handle my incoming/outgoing Internet traffic through the ASA to the different VLANs on the core switch (primarily for VPN purposes).  It would also allow traffic to flow between sites over the Metro E connection with the DR core switch and the primary core switch.
StreckAuthor Commented:
I posted a follow up question.  Hopefully, I will get a response from this expert.  Thanks for your help!
Hi Streck ,

There should be no problem what-so-ever routing at both sites (usual caveat of using different none overlapping scopes). Doing it like that is simply routing it across rather that switching it across, and like you say , it allows a better point from which to monitor traffic.

Again , personally I think routing across is the better option - more like two independent sites  , which happen to be linked allowing access to each others resources. Also allows you to set up Access Control Lists should you want to.

To do this simply (I like that word !) , connect the two sites over a single vlan which is on both core routers (could use a /30 for this) , and forward the relevant site scopes to the DR site. The DR site simply uses the site 1 core as a default route , site 1 core will then pass on traffic to either internal servers/resources or the internet as normal.

Mind you , only forward to scope ranges which exist , otherwise you can end up with routing loops ;-)

DR wise , if site 1 totally went , all you would need is a new FW and internet link at site 2 , and you're pretty much back in the game.

Your next problem then becomes whether or not to mirror the servers and which ones (think DHCP)....

One other thing , just to over complicate things , but show what can be done - you could both switch and route , that is to say route as described above , but also trunk the metro Ethernet link ports  , and pass other vlans too ,and at site 2 just have matching un-routed vlans. That way you can have a bit of both. I'd not recommend that until you can 'get you head around it' though...
StreckAuthor Commented:
kzin_xxxx, another spot on answer.

I have attached a diagram of how I expect the network to look.  If I am understanding your post correctly this should work.  I would setup the DR Layer 3 for routing but only pass the relevant VLANs as I will have no client PC's at the DR site.  I only need what is needed for the VM Hosts and the associated VM's.  Do you see a problem with this?
Hi Streck,

Ok , looking at the diagram , I'm not quite sure what's going on from it !

It looks like you have all the switch management on one vlan , but are routing different vlans/scopes at each end - this will work if the link circuit has 2 vlans. One for the switch management - un-routed at site 2 end  , and one for all other traffic transfer - routed at both ends. If site 1 or the link fails , you won't be able to access site 2 switches. You could of course use HSRP across as a failover on that vlan interface.

Alternatively , use one vlan across the link - for all traffic transfer ,routed at both ends. And create a new IP scope and management vlan for the switches at site 2 (in fact all vlans should be different IP scopes on site 2 , except obviously the site link) .

The latter is the less complex solution.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now