Data Center Failover

If you are running BGP with your ISPs, I'd suggest you advertise networks as follows:

Data center 1 : DC1 server routes advertise as normal, DC2 servers prepend the AS an extra time

Data center 2 : DC2 server routes advertise as normal, DC1 servers prepend the AS an extra time

This setup will ensure traffic for DC1 prefers its local ISP if the links are up, but will use DC2's ISP if not, and vice versa.

If you need assistance building the router configs, just give me a shout.

Thanks for your reply Cory and that will definitely take care of the wan portion however I think the main issues are regarding what happens from a firewall/F5 perspective. Once you go advertising a prefix out of another location there are routing/NAT considerations. Eg I advertise dc1 prefix out of DC2. dc1 servers have default routing via dc1 firewalls, VIP on local LTM and exit to the internet via DC1 links/static routing. In the case of say DC1 links being down what are the best options for getting the traffic in and out DC2. I will need src / dest nat's , make sure prefixes are advertised across inter DC links or a combination of both maybe. I was also considering the option of a wan backbone , connecting the internet edge routers to the core switches and running some kink of traffic seperation ( vrf's etc. ) that way traffic would stay on the same stateful devices , if DC1 links were down it would route as normal through firewalls but exit at DC2.

So the NAT that you are doing on your external firewalls, are you just doing destination NAT or also source NAT? If both, then the solution can be fairly easy. Just advertise the private NAT address space across the tunnel between sites so the firewalls know to push the traffic across to the other site to route back out to the Internet.

If just destination NAT, then you may need some kind of conditional route advertisement from your external router to your firewall. The logic of which would be if the BGP session with your ISP is up on your router (receiving default route or some other monitored route), then advertise the default route to your firewall. Do you already have a routing protocol setup between your router and firewall by chance?

I am only doing static NAT currently so F5 VIP (private) natted to Public IP (object on the external firewall).

It sees the real address. So eg client on internet 1. connects to Public address on ext firewall 2. FW Nat's to VIP on F5 ( VIP Pool is the external network on F5's) 3. F5 routes connection to pool /real server ip which is hanging off internal firewalls. We use the firewalls to do all our routing in the DC's.

Hope this makes sense.

Yes, makes sense. Destination NAT but not source NAT.

So one way to do this as I mentioned above is to do conditional route advertisement. If you don't already have it, setup BGP between your external router and external firewall. You'll need to conditionally advertise a default route from your router to your firewall as long as your router is receiving the default from its ISP peer. You'll also need to have some kind of routing protocol configured on your external firewalls between your data centers to handle default route advertisement across the tunnel if the local ISP is unreachable.

Ok I see what you mean. Appreciate the feedback.

Thanks