Re: OTV or I could use L2TPv3 with pseudo wire or

Hi All,

I'm worried that OTV might be a pain to troubleshoot. I think the easiest
solution would be to trunk 2 circuits together and pass the VLANs across.
I've done that before and it worked, not sure if there could be any STP
issues with that, it's just 2 circuits binded together as an ether channel.
Does anyone think OTV would have any extra troubleshooting benefits? Also,
it looks like the FWs will have to be active/standby per vlan. There is no
magic way to have them both active as we would need an extra cable to keep
the NAT states in sycn between the FWs. The problem being, my 2 data centres
are too far apart (10km) and would require additional cables, Unless I use
an extra VLAN on the port-channel between the 2 sites.

Any thoughts appreciated.

Ta
Dinesh

On Thu, Aug 18, 2011 at 8:08 AM, Dan Shechter <danshtr_at_gmail.com> wrote:

> The heartbeat issue of all the vendors is no garden of roses!
>
> We can all blame it on the game theory. There is no 100% with any
> cluster technology.
>
> I had issues with both Checkpoint and ASA. Lately (past 3 years), both have
> been stable _enough_.
>
> Best regards,
> Dan
>
>
>
>
> On Thu, Aug 18, 2011 at 6:39 AM, Travis Niedens <niedentj_at_hotmail.com>wrote:
>
>> I've dealt with that checkpoint heartbeat thing for years and hate it to
>> this day - the only stable deployment I have done was back to back
>> failover
>> cable. I'd say migrate away from checkpoint if you can ;)
>>
>> Travis
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Dan
>> Shechter
>> Sent: Wednesday, August 17, 2011 11:59 AM
>> To: Dinesh Patel
>> Cc: ccielab_at_groupstudy.com
>> Subject: Re: OTV or I could use L2TPv3 with pseudo wire or
>>
>> There are several things you need to consider:
>>
>> - OTV is a smart a#@. There are some types of traffic it will not pass
>> between DCs, like: checkpoint MCAST heart bits.
>> - You still want to use OTV, as it gives you more protections against L2
>> errors.
>> - Any statefull device will give you headache. It usually means that
>> only
>> one device can be active in the same time on BOTH DCs, and you will see
>> lots
>> of traffic between DCs.
>> - Lab your network. Don't skip it!
>>
>>
>> Just my 2cents from OTV implementation with Checkpoint firewalls.
>>
>>
>> HTH,
>> Dan #13685 (RS/Sec/SP)
>> The CCIE troubleshooting blog: http://dans-net.com
>>
>>
>> On Wed, Aug 17, 2011 at 5:08 PM, Dinesh Patel
>> <jedidinesh_at_googlemail.com>wrote:
>>
>> > Hi Experts,
>> >
>> > While study for my lab, I d like some help on a high end scenario. I
>> > have 2 datacentres and I want to connect their LAN at layer 2 between
>> > both datacentres. Each data centre has a ASA firewall.
>> > 1) How can I extand the layer 2 network from datacentre 1 to
>> > datacentre 2 without spanning-tree loops. I was planning on using
>> > either Cisco's new protocol *OTV* or I could use *L2TPv3 pseudo wire*.
>> > *QinQ*trunks or I could just create a
>> > *port-channel* across the 2 datacentres and trunk the interfaces
>> > 2) How can I ensure that the stateful NAT entries are the same on
>> both
>> > firewalls?
>> > Any help or suggestions on best practice of how to do this would be
>> > appreciated.
>> > Rgds
>> > Dinesh
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > ______________________________________________________________________
>> > _ Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Aug 18 2011 - 12:49:38 ART