Active/Standby Data Centre Network Design using GNS3/Virtualbox/JUNOS and Cisco – Part-2

In this section, I am going to add additional configuration to our existing service provider network which we build in Part-1. So let’s begin.

Assuming as a IP/MPLS service provider, we also have two hosted Data Centers named as dc-Karachi and dc-Lahore at service provider location at Karachi & Lahore. We need to connect both of these hosted DC to the MPLS network via PE routers. These DC may be VDC or hosted as well for example Virtual Firewalls, Nexus 1000v Switch and Virtual Machines hosting customer Database, Applications and Web Servers.

But for the simplicity, we assume Service Provider’s Data center in Karachi is hosting dc-Karachi VDC and dc-Lahore in Lahore Data Center. And to reach both of these hosted data center, we have an aggregation switches karais3/lahoris3 in Karachi/Lahore that connects PE router karair3/lahorir3 to the customer’s Physical Firewall in their hosted data center karacf3 and lahorcf3. We will create a trunk link between PE router karair3/lahorir3 to the aggregation switch to carry customer’s VLAN. We will also connect customer’s hosted physical firewalls to one of the trunk port on the switch that act as a aggregation switches.

So our network design would look like following:

Final Topology

 

So based on above design, In this tutorial, I am only focusing on to perform following tasks:

  1. Add layer3 vpn12729 at karair3 and vpn12730 at lahorir3. These two vpn will overlap each other and carry the data we need to replicate from primary dc-karachi to secondary dc-lahore. 
  2. Configure the aggregation switch karais3 and lahoris3.
  3. Configure the dc-karachi ASAv firewall karacf3 and dc-lahore ASAv Firewall lahorcf3 so that they can ping the PE router.

Task – 1:

Create two layer3 vpn at each DC as following. At lahorir3 create layer3 vpn named as vpn12730:

I am creating vpn12730 at lahorir3 PE router and using IP connector block of 10.144.253.120/29 in VLAN 101 to identify this VPN in IP/MPLS core.

set groups vpn12730 interfaces em3 vlan-tagging
set groups vpn12730 interfaces em3 unit 101 description vpn=12730
set groups vpn12730 interfaces em3 unit 101 vlan-id 101
set groups vpn12730 interfaces em3 unit 101 family inet address 10.144.253.122/29
set groups vpn12730 interfaces em3 unit 101 family mpls
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 0 then next term
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 1 from protocol direct
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 1 from protocol static
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 1 from protocol bgp
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 1 from interface em3.101
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 1 then community add vpn12730
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 1 then accept
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 0 from protocol direct
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 0 then preference 4
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 1 from protocol direct
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 1 from protocol static
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 1 from protocol bgp
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 1 from community vpn12729
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 1 then accept
set groups vpn12730 policy-options community vpn12730 members target:65000:12730
set groups vpn12730 policy-options community vpn12729 members target:65000:12729
set groups vpn12730 routing-instances vpn12730 description vpn=12730
set groups vpn12730 routing-instances vpn12730 instance-type vrf
set groups vpn12730 routing-instances vpn12730 interface em3.101
set groups vpn12730 routing-instances vpn12730 route-distinguisher 65000:12730
set groups vpn12730 routing-instances vpn12730 vrf-import vpn12730-import-vrf
set groups vpn12730 routing-instances vpn12730 vrf-export vpn12730-export-vrf
set groups vpn12730 routing-instances vpn12730 vrf-table-label
set groups vpn12730 routing-instances vpn12730 routing-options static route 10.141.212.144/28 next-hop 10.144.253.124
set groups vpn12730 routing-instances vpn12730 routing-options auto-export
set apply-groups vpn12730

At karair3 create layer3 vpn named as vpn12729:

I am creating vpn12729 at karair3 PE router and using IP connector block of 10.144.213.88/29 in VLAN 100 to identify this VPN in IP/MPLS core.

set groups vpn12729 interfaces em3 vlan-tagging
set groups vpn12729 interfaces em3 unit 100 description vpn-12729
set groups vpn12729 interfaces em3 unit 100 vlan-id 100
set groups vpn12729 interfaces em3 unit 100 family inet address 10.144.213.90/29
set groups vpn12729 interfaces em3 unit 100 family mpls
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 0 then next term
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 1 from protocol direct
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 1 from protocol static
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 1 from protocol bgp
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 1 from interface em3.100
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 1 then community add vpn12729
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 1 then accept
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 0 from protocol direct
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 0 then preference 4
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 1 from protocol direct
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 1 from protocol static
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 1 from protocol bgp
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 1 from community vpn12730
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 1 then accept
set groups vpn12729 policy-options community vpn12730 members target:65000:12730
set groups vpn12729 policy-options community vpn12729 members target:65000:12729
set groups vpn12729 routing-instances vpn12729 description vpn=12729
set groups vpn12729 routing-instances vpn12729 instance-type vrf
set groups vpn12729 routing-instances vpn12729 interface em3.100
set groups vpn12729 routing-instances vpn12729 route-distinguisher 65000:12729
set groups vpn12729 routing-instances vpn12729 vrf-import vpn12729-import-vrf
set groups vpn12729 routing-instances vpn12729 vrf-export vpn12729-export-vrf
set groups vpn12729 routing-instances vpn12729 vrf-table-label
set groups vpn12729 routing-instances vpn12729 routing-options static route 10.141.33.96/28 next-hop 10.144.213.92
set groups vpn12729 routing-instances vpn12729 routing-options auto-export
set apply-groups vpn12729

Since we created vpn12729 in vpn12730 and created an overlap between these two by policies within configuration above, we should see the routing table for both vpn12739 and vpn12730 should have routes exchanged including 10.141.33.96/28 and 10.141.212.144/28 networks which are within the DC dc-lahore and dc-karachi Firewalls.

root@karair3> show route table vpn12729.inet.0 
vpn12729.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.141.33.96/28    *[Static/5] 00:17:34
                    > to 10.144.213.92 via em3.100
10.141.212.144/28  *[BGP/170] 00:16:56, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 40.50.60.2 via em0.0, Push 16, Push 299792(top)
10.144.213.88/29   *[Direct/0] 00:17:34
                    > via em3.100
10.144.213.90/32   *[Local/0] 00:17:35
                      Local via em3.100
10.144.253.120/29  *[BGP/170] 00:16:56, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 40.50.60.2 via em0.0, Push 16, Push 299792(top)
root@karair3>
root@lahorir3> show route table vpn12730.inet.0 
vpn12730.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.141.33.96/28    *[BGP/170] 00:18:50, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 10.20.30.2 via em1.0, Push 16, Push 299776(top)
10.141.212.144/28  *[Static/5] 00:19:21
                    > to 10.144.253.124 via em3.101
10.144.213.88/29   *[BGP/170] 00:18:50, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 10.20.30.2 via em1.0, Push 16, Push 299776(top)
10.144.253.120/29  *[Direct/0] 00:19:21
                    > via em3.101
10.144.253.122/32  *[Local/0] 00:19:23
                      Local via em3.101
root@lahorir3>

So far we can see that both PE routers have routes from vpn12729 and vpn12739 as seen above. Lets move on to the next.

Task -2:

Configure aggregation switches karais3 and lahoris3 as following. Configuration of karais3 is given below. lahoris3 configuration is similar but ofcourse using VLAN 101.

!
interface FastEthernet1/0
description to_Firewall
switchport access vlan 100
no ip address
duplex full
speed 100
!
!
interface FastEthernet1/1
description to_PE
switchport mode trunk
no ip address
!

Task -3:

Configure the karacf3 Firewall with IP address 10.144.213.92/29 to connect with vpn 12729 at PE karair3 while configure lahorcf3 Firewall with IP address 10.144.253.124/29 to connect with vpn12730 configured at lahorir3. This is how both ASA firewalls are configured:

karacf3#
!
interface GigabitEthernet0/0.100
 vlan 100
 nameif s2s
 security-level 100
 ip address 10.144.213.92 255.255.255.248 
!
lahorcf3#
!
interface GigabitEthernet0/0.101
 vlan 101
 nameif s2s
 security-level 100
 ip address 10.144.253.124 255.255.255.248 
!

 

I can ping the logical interface of PE router from karacf3 IP 10.141.213.92 to its gateway 10.141.213.90 in vpn12729.

Similarly, lahorcf3 Firewall can also ping from its IP address 10.144.253.124/29 to it’s gateway 10.144.253.122/29 in vpn12730.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s