Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

BGP or other? for link between two DCs (single-ISP each)

Posted on 2014-03-28
11
Medium Priority
?
262 Views
Last Modified: 2015-06-12
Hi, I am renting rack space in two datacenters for hosting customers websites, and right now i have different customers hosted at each datacenter. I am getting IP allocations from my ISP and I use these for my customers websites. I have a /26 at each location. There is only one ISP (the same one) in the two datacenters, and it has two upstream connections to Tier-1 providers.

I wanted to establish a high speed private link between my two sites, so I can have high-availability and failover for my services such as the customer portal. The datacenter offers a 1Gb fiber circuit between the two sites.

My only layer3 devices at each location are Palo Alto firewalls (PA3050) and I only have a single ethernet hand off from the ISP (100mbps) connection for my internet connectivity at each location.

Can I run BGP in this setup? Or is there a better approach to achieve what I am looking to do? I am attaching a basic diagram.

After getting the BGP (or other routing protocol) working between the two sites, will this be considered a "dual homed" setup? (This will also help me apply for ARIN address space because now I have to use IPs from my ISP)

Diagram
I read that these Palo Altos can only run around 46,000 routes so I am not sure if I can use them for this setup?

Thank you
0
Comment
Question by:sk391
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39962025
What routing protocol are you running in each datacenter? I don't see a need for BGP, but OSPF would be a good option.
0
 
LVL 1

Author Comment

by:sk391
ID: 39962459
right now its quite simple, i just have around 10 vlans and only one is the external vlan which requires internet connectivity. around 4 VM's are Natted to the public VLAN for HTTPS traffic.

So the "internet access" vlan is just using the firewall's internal IP as its gateway, and the firewall's primary interface is configured with the /26. only 3 vlan's are trunked to the firewall

both sites have the same setup

how would i benefit with ospf? is there a 'begginers intro" to routing protocols? mostly i come from a virtualization background..

Thank you!
0
 
LVL 26

Accepted Solution

by:
Soulja earned 2000 total points
ID: 39962475
Honestly this that many vlans, unless you plan to expand greatly, you could probably live with static routes and just put a /30 subnet between the datacenter to connect both palo alto's.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 1

Author Comment

by:sk391
ID: 39962489
thanks yes  this might make sense..  i don't see us growing over 30 vlans for a couple years at least!

can you elaborate a bit on the /30 with an example? thank you
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39963691
I am not clear on the circuit your isp is offering between the datacenters, but essentially, you would just create a subnet between the palo alot firewall, or the routers/switches that the isp provided to connect the datacenters. You traffic would route back and forth across this subnet for cross-datacenter traffic.
0
 
LVL 1

Author Comment

by:sk391
ID: 39963718
thank you, and then I could create a HA virtual interface on this new /30 subnet, that my vlans in both datacenters would use as their new primary gateway to the internet?

for example if i had the below before:

datacenter 1 vlans: primary internet gateway paloalto1 wan interface
datacenter 2 vlans: primary internet gateway paloalto2 wan interface

now I would have

datacenter1 vlans: primary internet gateway paloalto1/2 virtual ip (on the /30 subnet)
datacenter2 vlans: primary internet gateway paloalto1/2 virtual ip (on the /30 subnet)

does this make sense?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39963728
Eh, I may not be reading your comment correctly, but the cross datacenter connection would only be for the datacenter to talk to one another. Now if you have an internet connection in both datacenters, you could have failover for one to use the other datacenters internet if the local internet fails. This is where you really want some dynamic routing as it could get tedious with a lot of static routes.
0
 
LVL 1

Author Comment

by:sk391
ID: 39963790
yes that's exactly what i mean. however, since the site1 services use the public IPs assigned from the isp of site1, i would need to get my own IPs and use those instead of my isp's, to avoid a single point of failure.

so if the internet at site1 goes down, my services on site1 would continue to run, by using the internet connection of site2 (through the firewall link between the two datacenters)?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39964031
That is exactly what I am saying. But I am not referring to an ISP failure, more of a circuit or hardware failure that connects to your internet at each data center.
0
 
LVL 1

Author Comment

by:sk391
ID: 39971139
thank you - so the solution would be

1) obtain ASN and IP space (1x /24 to be divided to 2x /25, one for each location)

2) configure the ASN on my site1 router/firewall with the first /25 network

3) configure the ASN on my site2 router/firewall with the second /25 network

4) configure my site1 router/firewall to communicate over iBGP with my site2 router/firewall (does this require a /30 or /31 for the private network?)

5) configure my site1 router/firewall -> communicate over eBGP with site1 ISP router

6) configure my site2 router/firewall -> communicate over eBGP with site2 ISP router

Does this seem right as a high level plan? any other steps I am missing?

Thank you
0
 
LVL 1

Author Comment

by:sk391
ID: 40007913
can you confirm please so i close the question?
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question