Hello Bart, absolutely. We are in a similar situation (probably simpler since we are dealing with a sort of "Multi-tenants DC inside a Campus" scenario where Campus necessarily uses the major part of DC Hardware infrastructure transparently, infrastructure that is shared between Campus and Tenants): our idea was to have two Cores (with a VSX Cluster on each side of the fence), both resiliently interconnected with a proper Cluster Firewall which duty is to keep Campus and DC separated, with the additional constraint that that very same Firewall will connect both DC and Campus to various ISPs (a thing I don't necessarily like because, that way, that Firewall Cluster become a SPoF not only for the Campus but also for the DC which hosts systems of various tenants, the most of them really unrelated to Campus).
Basically we're in a sort of "ISP DC with Campus" - because we provide services to various different Customers - but the bigger of them is also the whole owner of the DC infrastructure, use it mainly and owns what I call the Campus on which DC services are consumed...maybe it's a common scenario...but, to simplify, for sure we're not within a typical "University where the University DC serves mostly the University Campus" model.
Probably a Layer 3 interconnection will suffice but then ACLs on both sides should be correctly setup and maintained (not only to filter the necessary inter-VLANs communications at Core level on each side but also to filter necessary communications between VLANs belonging to Campus versus DC and vice-versa).
------------------------------
Davide Poletto
------------------------------
Original Message:
Sent: May 25, 2022 02:39 AM
From: Bart Verstegen
Subject: best practise to interconnect campus and DC on the same location
Hi
in my view that is indeed a possibility if there are multiple locations but if there is only 1 location, i don't see an issue to have both behind the same firewall as 2 separated networks linked with eachother with layer 3 links.
but if you see it differently, feel free to share
------------------------------
Bart
Original Message:
Sent: May 24, 2022 07:24 PM
From: Davide Poletto
Subject: best practise to interconnect campus and DC on the same location
Shouldn't both topologies (DC and Campus) be mutually protected by means of a Firewall? just a question...
------------------------------
Davide Poletto
Original Message:
Sent: May 23, 2022 04:30 PM
From: Bart Verstegen
Subject: best practise to interconnect campus and DC on the same location
Hi
we are discussing internally the best practise of a design in case you have a campus and the DC on the same location
campus exist off
2 cores (in active-active or active-standby)
access switches connected to each core
in DC
2 cores (in active-active or active-standby)
server switches connected to each core
so like this assuming the aggregation layer doesn't exist
sorry for the wrong layout
The question is how does the best practise describe you must interconnect these cores?
I am not able to find it in the documentation or in best practises but I always learned it must be with layer 3 links.
Layer 3 because with layer 2 interconnects or even if you use mlag, if a loop or layer 2 issue happens on the campus it will extend to the DC even if STP protection is configured.
With layer 3, these issues/impact will remain on the campus and the DC, if possible to reach from outside, can continue to function.
Can you please provide me your idea and preferably provide me some documents to support this statement?
Thanks for the help
------------------------------
Bart
------------------------------