General technical discussions.
User avatar
Dinger
Post Whore
Posts:
1397
Joined:
Fri Apr 25, 2008 2:16 pm
Certs:
CCNP, CCNA:Sec, MCSE

ever seen a colo/datacenter setup like this before?

Tue Nov 27, 2012 9:48 am

My company is currently opening a second co-locatation for our servers; right now we have 9 racks in a data center in Florida, and are getting 7 racks at a data center in Chicago. At the current DC, we get two copper ethernet hand-offs, delivered from redundant switches. These handoffs go to the 'outside' interface on my firewalls; they can ping each other, life is good.

At the new DC, same setup, two copper handoffs, going to the Outside interface on my firewalls. Kinda odd, I notice that the firewalls aren't forming a failover pair, complaining about the Outside interface. Turns out, they *can't* ping each other's external IP, even though they are in the same subnet. They can't even ARP for each other. They can both ping the default gateway, which is a VRRP address. They can both reach the Internet.

So I call up the provider, and they say this is normal; while they give us two connections, and redundancy via VRRP, the two VRRP routers don't talk to each other unless they talk "though" our equipment (split-brain, each router thinks it is VRRP Master). Meaning, I have to either put another switch on the 'outside' of my firewalls, and have both firewalls and both uplinks in that new switch (or do it with a VLAN). This seems rather odd to me, but this is a much larger colo than in Florida.

Is this normal? The guy on the phone said they do it this way to eliminate spanning tree.
"A problem well stated is a problem half solved". (Charles Kettering)

bertschs
Senior Member
Posts:
311
Joined:
Sun Apr 17, 2011 7:06 pm

Re: ever seen a colo/datacenter setup like this before?

Tue Nov 27, 2012 1:23 pm

It's fairly common.

Some providers will do two L3 ports, some will do two L2 ports, and some will support both configs.

Of the ones doing L2, some will just turn it on and let it rip (*shudder*). Some will put some controls in place, e.g. separate STP instance, root guard, storm control, policers, etc. (*slightly less shudder*).

Doing redundant L2 to a customer certainly doesn't give me the warm fuzzies. As soon as you get one that enables bpdufilter on their switches, you'll have a packet accelerator. If you do L2, you need to also think about how you will contain the forwarding loop to just that customer if/when it does happen.

You will also need to think about what the impact will be when the resulting storm of VRRP hits your control plane.

'

Return to General Tech

Who is online

Users browsing this forum: Majestic-12 [Bot] and 11 guests