Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 268
  • Last Modified:

BGP or other? for link between two DCs (single-ISP each)

Hi, I am renting rack space in two datacenters for hosting customers websites, and right now i have different customers hosted at each datacenter. I am getting IP allocations from my ISP and I use these for my customers websites. I have a /26 at each location. There is only one ISP (the same one) in the two datacenters, and it has two upstream connections to Tier-1 providers.

I wanted to establish a high speed private link between my two sites, so I can have high-availability and failover for my services such as the customer portal. The datacenter offers a 1Gb fiber circuit between the two sites.

My only layer3 devices at each location are Palo Alto firewalls (PA3050) and I only have a single ethernet hand off from the ISP (100mbps) connection for my internet connectivity at each location.

Can I run BGP in this setup? Or is there a better approach to achieve what I am looking to do? I am attaching a basic diagram.

After getting the BGP (or other routing protocol) working between the two sites, will this be considered a "dual homed" setup? (This will also help me apply for ARIN address space because now I have to use IPs from my ISP)

Diagram
I read that these Palo Altos can only run around 46,000 routes so I am not sure if I can use them for this setup?

Thank you
0
sk391
Asked:
sk391
  • 6
  • 5
1 Solution
 
SouljaCommented:
What routing protocol are you running in each datacenter? I don't see a need for BGP, but OSPF would be a good option.
0
 
sk391Author Commented:
right now its quite simple, i just have around 10 vlans and only one is the external vlan which requires internet connectivity. around 4 VM's are Natted to the public VLAN for HTTPS traffic.

So the "internet access" vlan is just using the firewall's internal IP as its gateway, and the firewall's primary interface is configured with the /26. only 3 vlan's are trunked to the firewall

both sites have the same setup

how would i benefit with ospf? is there a 'begginers intro" to routing protocols? mostly i come from a virtualization background..

Thank you!
0
 
SouljaCommented:
Honestly this that many vlans, unless you plan to expand greatly, you could probably live with static routes and just put a /30 subnet between the datacenter to connect both palo alto's.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
sk391Author Commented:
thanks yes  this might make sense..  i don't see us growing over 30 vlans for a couple years at least!

can you elaborate a bit on the /30 with an example? thank you
0
 
SouljaCommented:
I am not clear on the circuit your isp is offering between the datacenters, but essentially, you would just create a subnet between the palo alot firewall, or the routers/switches that the isp provided to connect the datacenters. You traffic would route back and forth across this subnet for cross-datacenter traffic.
0
 
sk391Author Commented:
thank you, and then I could create a HA virtual interface on this new /30 subnet, that my vlans in both datacenters would use as their new primary gateway to the internet?

for example if i had the below before:

datacenter 1 vlans: primary internet gateway paloalto1 wan interface
datacenter 2 vlans: primary internet gateway paloalto2 wan interface

now I would have

datacenter1 vlans: primary internet gateway paloalto1/2 virtual ip (on the /30 subnet)
datacenter2 vlans: primary internet gateway paloalto1/2 virtual ip (on the /30 subnet)

does this make sense?
0
 
SouljaCommented:
Eh, I may not be reading your comment correctly, but the cross datacenter connection would only be for the datacenter to talk to one another. Now if you have an internet connection in both datacenters, you could have failover for one to use the other datacenters internet if the local internet fails. This is where you really want some dynamic routing as it could get tedious with a lot of static routes.
0
 
sk391Author Commented:
yes that's exactly what i mean. however, since the site1 services use the public IPs assigned from the isp of site1, i would need to get my own IPs and use those instead of my isp's, to avoid a single point of failure.

so if the internet at site1 goes down, my services on site1 would continue to run, by using the internet connection of site2 (through the firewall link between the two datacenters)?
0
 
SouljaCommented:
That is exactly what I am saying. But I am not referring to an ISP failure, more of a circuit or hardware failure that connects to your internet at each data center.
0
 
sk391Author Commented:
thank you - so the solution would be

1) obtain ASN and IP space (1x /24 to be divided to 2x /25, one for each location)

2) configure the ASN on my site1 router/firewall with the first /25 network

3) configure the ASN on my site2 router/firewall with the second /25 network

4) configure my site1 router/firewall to communicate over iBGP with my site2 router/firewall (does this require a /30 or /31 for the private network?)

5) configure my site1 router/firewall -> communicate over eBGP with site1 ISP router

6) configure my site2 router/firewall -> communicate over eBGP with site2 ISP router

Does this seem right as a high level plan? any other steps I am missing?

Thank you
0
 
sk391Author Commented:
can you confirm please so i close the question?
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now