Distributed Firewalls: How Badly Do You Want To Fail? Look Through This Article To Get More Information Concerning Distributed Firewalls Details You Need To Understand Concerning Distributed Firewalls

[Now we will talk about ccie security lab.

Are you ever asked to make use of a layer-2 Data Center Interconnect to implement distributed active-active firewalls, presumably solving all the L3 issues and also asymmetrical traffic flow over stateful firewalls troubles? Don't be stunned; for instance, a year previously I was foolish enough to draw the following diagram illustrating a sample use of VPLS services, check this at ccie security workbook.

The solution seems ideal: both WAN routers would advertise the same IP prefix to the outside world, entice the customer traffic and pass the traffic through the closest firewall. The inside routers would take care of proper traffic distribution and the return traffic would follow the shortest path toward the WAN cloud. The active-active firewalls would exchange flow information, solving the asymmetrical flow troubles.

Now ask yourself: what happens when the DCI link fails? Some of the inbound traffic will arrive to the wrong edge router and get dropped, and the firewalls will go into split-brain mode. You'll evidently experience problems in both data centers.

Typically we utilize pairs of devices in redundant configurations to improve the overall system availability. I am not expert in high availability calculations, but among the hidden assumptions in designs where devices have to exchange state info is that the non-redundant component needs to be as reliable as the devices by themselves.

CCIE Security:In a stretched subnet design the weakest link of the whole system is the data center interconnect; most often, stretched subnets would decrease the [over-all availability of the system.

A dependable layer-3 solution is not much easier to design. A while before I was involved in a redesign of a global network. The customer had very knowledgeable networking team and we tried hard to [discover a redundant data center design that would [enable them to advertise a single L3 prefix from both data centers. We even reached the point where we had a working design that would survive all kinds of failures, but it got too complex for the customer.

Unless you believe in the miracles of TCP-based anycasting, it seems the best option you have to implement distributed data centers is still the time-proven design used by web content providers with excellent track record like Google: DNS-based load balancing between data centers together with data-center-specific summary-as-a-backup prefix advertising into BGP.