Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Amir_Arama
Advisor

Cluster over differnt geo location with different ISPs

Jump to solution

Hello everyone.

i want to know what is the best practice of the following

we implementing "Live DR", so we connecting Main site with DR Site by Layer2 in all internal vlans. and also the cluster FW will be 3rd and maybe also 4th members at the DR Site. so Internet/Dmz Cluster will be ni Main and in DR Site.

my quesion is about the Isp's side/Default route site. 

what is the best practice here?

do i have to do Layer 2 Line between Isps between sites (to my knowledge it's must for the cluster), or can i use different ISPs, or same ISPs but with different lines (and also different  public IP subnets)

and let's assume i have L2 between ISPs between sites, what will happend if the Internal Sync /other vlans disconnected between sites, and GWs become active together in Main Site and DR Site, so the ISP will see the same VIP alive in both sites, and it won't work. 

how it's usually implemented ?

i attached draw for general architecture.

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee
Employee

Do you have your own ISP independent public IP addressing?

I would be using dynamic routing & routers / perhaps layer-3 switches external to the Firewall.

You are correct that regardless of the number of cluster members involved Layer-2 connectivity is required.

Redundant & diverse paths between sites are recommended in general for such a design.

View solution in original post

0 Kudos
2 Replies
Chris_Atkinson
Employee
Employee

Do you have your own ISP independent public IP addressing?

I would be using dynamic routing & routers / perhaps layer-3 switches external to the Firewall.

You are correct that regardless of the number of cluster members involved Layer-2 connectivity is required.

Redundant & diverse paths between sites are recommended in general for such a design.

0 Kudos
Amir_Arama
Advisor

HI

Yes i have independend ISP ip addresses.

So you are saying to strech layer 2 between sites of the network between external fw interface to a routers/link proof like.

And then use dynamic routes that will inject default route to the fws. And so each fw can also use other site isp's if it's own are down.

 

0 Kudos