08-19-2015 12:11 PM - edited 08-19-2015 12:19 PM
I recently ordered a 1GBPS dedicated fiber connection between my primary site and DR site. The ISP doesn't assign me an IP address or anything and says it is just a layer 2 connection. So I am a bit confused on how to configure my PA 3020s(one at each location). I have installed an sfp module from PA into each side but they are not coming up. I am certain it is going to be a configuration issue. My first thought was I would need to set the two ports as layer 3 ports on the same VLAN and give each a seperate Internal IP. At this point I should be able to ping between the two interfaces over the dedicated WAN connection. Then I would just have to configure a route at each PA to direct the appropriate traffic over the WAN link. Is this the right line of thought?
Sincerely,
Confused IT guy.
08-19-2015 03:01 PM
Welcome to metro ethernet. You seem to have the concept down well. When we provision this type of service you can think of it as if we gave you a giant ethernet cord to plug between two devices of your choice.
In a datacenter envrionment like this, there are two common approaches you could use.
As you mention, make this a simple routed link between the two sites and assign a /30 or /31 to the link. On the Palo Alto you can put this into its own virtual router and this will give you the maximum flexibility to using routing protocols to direct traffic either between the two sites our out other circuits. The downside to this is designing and managing this traffic.
The other approach is to allow your data center vlans for all your services to span both sites. In this case you would connect a beefy switch trunk port layer 2 with all your vlans. Now your servers and services can split between the two sites and be in the same broadcast domain. this makes setting up Vmware clusters and v-motion between sites much easier. This can also make your application teams DR setups simplier. The downside to this arrangement is that spanning tree and layer 2 issues could now take out both sites. And if application teams and VMware admins are not careful they can fill the link creating performance issues.
08-19-2015 03:01 PM
Welcome to metro ethernet. You seem to have the concept down well. When we provision this type of service you can think of it as if we gave you a giant ethernet cord to plug between two devices of your choice.
In a datacenter envrionment like this, there are two common approaches you could use.
As you mention, make this a simple routed link between the two sites and assign a /30 or /31 to the link. On the Palo Alto you can put this into its own virtual router and this will give you the maximum flexibility to using routing protocols to direct traffic either between the two sites our out other circuits. The downside to this is designing and managing this traffic.
The other approach is to allow your data center vlans for all your services to span both sites. In this case you would connect a beefy switch trunk port layer 2 with all your vlans. Now your servers and services can split between the two sites and be in the same broadcast domain. this makes setting up Vmware clusters and v-motion between sites much easier. This can also make your application teams DR setups simplier. The downside to this arrangement is that spanning tree and layer 2 issues could now take out both sites. And if application teams and VMware admins are not careful they can fill the link creating performance issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
