Add Cold DR to a existing environment

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Add Cold DR to a existing environment

L2 Linker

Hello,

I have a Panorama that manages several clusters with a dedicated device-group and template 

For one of them my customer bought a single firewall as a Cold DR to put in a different DC.

Considering the following scenario:
- Cluster-Intranet (active/standby) with member (Intranet01 and Intranet02)

- new DR name will be IntranetDR

Before the activity there isn't a candidate conf to push on the Cluster-Intranet. The steps to add the IntranetDR should be:
1° add the new device to Panorama
2° assign the device-group and template where is the Cluster-Intranet to the new IntranetDR
3° Commit and Push the conf in order to push the Intranet security rules and interfaces etc to the new IntranetDR

 

The question is: in the Commit and Push popup I will see only a pending activity for the IntranetDR or since I am using the DG and template of the Cluster-intranet will this also be involved in the push?
It's important because the customer if the push impact on the production cluster need to know if the can lose connectivity and will ask us to add the IntranetDR during a maintenance window. If the IntranetDR it's the only firewall that the Panorama show to us i will able to do the activity when i want

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

When no changes are made to the configuration and you're simply replicating the config to the DR device, the prod cluster will not show in the commit and no changes will be pushed to them.

The only thing you need to take care of is basic routing/L2 since you're pushing the same config that they don't conflict at the network layer (and BGP if you have that set up, so the DR doesn't suddenly steal the IPs from the prod).

 

If the DR is fully separated, it is safe to push with no impact to the prod.

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

When no changes are made to the configuration and you're simply replicating the config to the DR device, the prod cluster will not show in the commit and no changes will be pushed to them.

The only thing you need to take care of is basic routing/L2 since you're pushing the same config that they don't conflict at the network layer (and BGP if you have that set up, so the DR doesn't suddenly steal the IPs from the prod).

 

If the DR is fully separated, it is safe to push with no impact to the prod.

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

You refer to the fact that the DR will get the same ip as the Prod cluster so a potentially duplicate address in the Data Certer after the push right?
Yes, the DR switches are in the classic "DR bubble" and for safety on the sw side all interfaces connected to the Dataplane are admin down.

 

Yes we have the BGP up between the 3 VR in the intranet FW but as I said all interfaces on the sw side will be admin down so no impact on the existing BGP on prod right?

Cyber Elite
Cyber Elite

be careful with admin down interfaces when pushing the initial config, as the template may enable the interfaces (best to disable the interfaces on the switch side)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 1192 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!