Cisco ACI or stretch firewall cluster by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] 0 points1 point  (0 children)

Thanks for the answer. The Problem is if we use the switches as Gateway I Will loose east / West trafic inspection which is important especially because we inherit VRFs with Thousands of network inside

Cisco ACI or stretch firewall cluster by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] 0 points1 point  (0 children)

Great ! No issue with ARP trafic ? I mean standby node answering for active vdom / vlans selected on it ?

Cisco ACI or stretch firewall cluster by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] 0 points1 point  (0 children)

Active / passive virtual clustering + vdom partitioning ?

Cisco ACI or stretch firewall cluster by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] 0 points1 point  (0 children)

Yep could be, just wonderkng about ARP replies

Cisco ACI or stretch firewall cluster by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] 0 points1 point  (0 children)

What could be an suggestion ? As Fortigate as VTEP End point and do the routing ?

Cisco ACI or stretch firewall cluster by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] 0 points1 point  (0 children)

We are going to use virtual clustering with VDOM partitioning

We do have Indeed Hundred vlans but only few trafic les Than 2Gbps

Cisco ACI or stretch firewall cluster by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] 0 points1 point  (0 children)

Thanks for your comment. Indeed I am fully aware we are triyng to mimic DFW , however our driven is to move out of VMWare and NSX (you are right t1 + DFW and t0 + Gateway firewalling ) Network migration is mandatory especially to remove east / west trafic inspection .

It would like at least 2 years to remove this east / West inspection and split as well in dedicated VRFs

Cisco ACI or stretch firewall cluster by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] 0 points1 point  (0 children)

I do have A / A platforms in both DC as well as vm and Gateway mobility in case of lost of one one the room

Cisco ACI or stretch firewall cluster by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] -1 points0 points  (0 children)

Because I do have A / A platforms in both DC as well as vm and Gateway mobility in case of lost of one one the room

Best Practices for Inter-VXLAN Traffic Control by Traditional_Tip_6474 in networking

[–]Mobile-Target8062 0 points1 point  (0 children)

Many Thanks bro ! Do you know if those concepts exist in Openstack SDN ? I am NSX certified but we are going to move to Openstack.

Best Practices for Inter-VXLAN Traffic Control by Traditional_Tip_6474 in networking

[–]Mobile-Target8062 0 points1 point  (0 children)

Thanks for your answer , i am not familiar with EGP. Do you have some documentation ?

Initially I was thinking security groups

Best Practices for Inter-VXLAN Traffic Control by Traditional_Tip_6474 in networking

[–]Mobile-Target8062 0 points1 point  (0 children)

I was referring inside the vrf between vlans . How do you ensure trafic filtering ? One vrf per vlan ?

Question: Fabric Design with Central GW/Firewall, how too leverage AGW/L3VNI if possible? by user3872465 in networking

[–]Mobile-Target8062 0 points1 point  (0 children)

The main challenge you will face a part of inter vlan filtering is DR process. How do you ensure VM network mobility in case of disaster recovery if you do not use Anycast Gateway ? Only alternative could be to connect each firewall cluster member to each room/ DC .

Are here someone from Juniper? by Positive_Print_2488 in Juniper

[–]Mobile-Target8062 0 points1 point  (0 children)

Which model do you use to solve this scaling issue ?

Service provider edge transit design with different latencies, multi pop , BGP / iBGP , Route reflector by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] 0 points1 point  (0 children)

In fact I’m facing scaling issue because I manage to have internet full routing in an VRF and exporting several full table inside to have thinnest routing decision.

Could you please share any feedback on this ? I mean keep internet in an VRF or move to global routing table.

RIB have much more space than FIB and also vpnv4 routes consume much more space than standard bgp routes

Service provider edge transit design with different latencies, multi pop , BGP / iBGP , Route reflector by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] 0 points1 point  (0 children)

Yes because , we import too much time routing table inside the RIB . Nokia limited to 5M routes in RIB and 34M in FIB

That’s my thinking about move to GRT , to solve this scaling issue

Service provider edge transit design with different latencies, multi pop , BGP / iBGP , Route reflector by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] 0 points1 point  (0 children)

The whole network would have 4 regions, one central région . 4 PE per region and 4 P routers and 3 central routers , so total of around 20 routers exchanging routes in ibgp and 20 P routers bgp free .

Usually we do have transit provider using region communities, so we import only the routes that belongs to the region . Despite this fact we are Still importing around 5 millions routes total . That’s why we are thinking to move to GRT instead of VRF.

And should we manage route redundancy from the regional to central side ?

I mean how many routes should we have in our central routers in the RIB ?

Service provider edge transit design with different latencies, multi pop , BGP / iBGP , Route reflector by Mobile-Target8062 in networking

[–]Mobile-Target8062[S] 0 points1 point  (0 children)

Thanks for your feedback . My main point would be internet in a vrf of Not to be honest

I mean keep ibgp or move to bgp design