Hi Thomas
Thanks for your reply. I had thought of and wanted to propose AG for ATOR-1&2 with AG1 and BTOR-1&2 with AG2 and have the servers/hosts/VMs in each site specify the respective AG as their DGW. But unfortunately, for now, customer would like to use site B as failover so that if site A (or ATOR) fails, they can quickly restore the VMs in site B with the same IP.
About cross-site, yeah, that is another complication. There are other sites connected via the IPWAN and site A is the preferred site for the DCN networks. Therefore, to keep things and routing consistent, the customer would like to treat site B as any other site and therefore, route from B network to DCN network should traverse via the IPWAN. That makes the routing on ATOR a little complex as the path to FW-B to B network would present a shorter path than via FW-A to IPWAN.
I will be using OSPF between both sites at the DCN switches.
Thanks for your suggestion. I appreciate it.
Regards,
Simon
Original Message:
Sent: Jan 17, 2025 02:00 AM
From: thomasbnc
Subject: VRRP Track for CX switch
Hi Simon
There are multiple thoughts/questions that come up regarding your design:
- Would active gateway (instead of VRRP) be an option for you? AG has the advantage of being active in all switches the same time and therefore avoid the question of tracking etc.
- Is my assumption correct that the networks labelled "DCN network A" and "DCN network A transit" in your logical diagram are equally good/performant? In other words: does it make a difference if you have cross-site traffic whether the traffic crosses in one or the other network? Or again expressed differently: why would it make sense to have a tracking on the first hop in your "DCN network X"? I assume the firewall is having another redundant (VRRP?) interface and working in active/passive mode, so, if the traffic is routed on the "wrong" TOR it will get redirected to the active firewall on the transit net.
- Would the use of OSPF be an option for you? OSPF usually solves availability and fast convergence challenges quite well.
Regards,
Thomas
Original Message:
Sent: 1/16/2025 11:04:00 PM
From: simon168
Subject: VRRP Track for CX switch
Hi,
I have the following setup and have some queries about VRRP track. Unfortunately, there aren't much information in the document.
As seen in the diagram, I have 2 sites (A and B) with identical setup. ATOR-1, ATOR-2, BTOR-1 and BTOR-2 will have VRRP configured for the VLANs that are stretched across both sites. ATOR-1 will have the highest priority followed by ATOR-2, BTOR-1 and finally BTOR-2. On ATOR-1 and ATOR-2, I would like to track the interfaces in green so that if the firewall fails, it will reduce the priority and BTOR-1 will host the virtual IP of the respective Layer 3 VLAN interfaces. However, it seems like the feature 'track by' cannot be applied on interfaces that are members of a LAG or the LAG interface itself.
A logical diagram is attached below.
While the return path from the servers to ATOR-1 can still route via Site B firewall, that would require routing convergence. I would prefer if tracking can take care of the firewall failure in Site A and let BTOR-1 become the gateway IP. But if this is not possible, then I suppose a longer delay is inevitable.
Appreciate your thoughts.
Thanks.