Migrating to multi-vsys environment

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migrating to multi-vsys environment

L1 Bithead

We recently decided to migrate to a multi-vsys environment for two of our data centers.  The main reason for this is the shared gateway feature.  We are starting to do a lot of disaster recovery planning, and need a segmented environment (with overlapping IPs), that can also share the internet connectivity.  We were just using virtual routers to segment, but that didn't give us the internet connectivity.

 

So... that being said, I've started my research and testing, and have some concerns/questions:

 

#1 - Regarding the shared gateway - most of the examples online that I see reference a more simple architecture with a basic internet connection.  We have multiple internet connections, and use BGP for routing.  Are there any special considerations here around this design?  And in general, BGP... any docs or KB articles anyone is familar with around this?

 

#2 - I've read that all of your NAT rules need to exist in the shared gateway, is this accurate?  Just curious if anyone has designed this differently.

 

#3 - We have a few (not many) policy based forwarding rules that we would actually use to send a particular type of traffic to a particular internet circuit.  But now with all internet connectivity being in the shared gateway, would my pbfs just point to the shared gateway?  Seems like I lose the granularity of picking a specific circuit.  Or should I be setting up multiple shared gateways?

 

Overall I like the concept of the shared gateway, but I think this would be much easier to accomplish all of this in a greenfield environment.  I've got two active data centers that will be getting migrated, and trying to avoid any "gotchas" if you know what I mean.

 

Thanks.

 

 

1 REPLY 1

Cyber Elite
Cyber Elite

1. The shared gateway is indeed a very simplified way of providing internet access to multiple VSYS (MSP model). BGP will work, but getting anything 'fancy' to work may be a pain

2. yes, you've offloaded internet access to the SGW so all NAT (that is related to the internet) needs to happen there

3. you do indeed lose granular control in favor of a shared gateway

 

in most cases i've used just another vsys instead of a shared gateway to accomplish what you're trying to set up. it allows for more control in exchange for a little more configuration.

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 539 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!