Data Center

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about Data Center Architecture and approaches.
  • 1.  Apstra 4.2.1 in eve-ng step-by-step series: Video 2. Prepping Your Lab

     
    Posted 14 days ago
    Edited by Jodi Meier 14 days ago

    NOTE: There is a typo in the switch prep instructions. To enter config mode, type "configure exclusive", not "configuration exclusive"

    I cannot delete/re-upload the documentation, so please just update the slide after you download!

    #5minutejunos

    Video: 2. Prepping Your Lab - Apstra 4.2.1 in eve-ng

    Video hashtag: #4.2.1_eve_video-2

    I did it… 11 videos recorded - the entire series - in less than a week!

    I will be uploading and publishing content as I finish the post-production work, so rather than the weeks it took between videos during the first series, I'm hoping post one or two videos a day.

    In this video, I discuss the prerequisites for our lab including recommendations on code, topology considerations, issues, caveats, and other bits and bobs that hopefully make your experience a bit easier.

    This video ends with our lab topology in place, the Apstra 4.2.1 server online and configured, and our vJunos nodes prepped for Apstra onboarding.

    My eve-ng lab topology is attached. If you want the experience if dragging links between nodes or typing out a bunch of IP's and MAC for an hour, that's certainly fine. Alternately, you can import my topology and edit the nodes to add the correct image and save yourself some time.

    Here are some useful links:

    (note that downloads may require a Juniper.net account)

    Apstra Download

    Virtual Platforms Public Landing Page - vJunos and vEvo downloads are here

    vEvo release notes

    vJunos release notes

    Instructions for loading virtual images into eve-ng (don't skim this - details matter!)



    ------------------------------
    Consulting Engineer - Juniper Networks
    YouTube - 5MinuteJunos
    ------------------------------



  • 2.  RE: Apstra 4.2.1 in eve-ng step-by-step series: Video 2. Prepping Your Lab

    Posted 19 days ago
    Edited by Jodi Meier 14 days ago

    Not sure but did you mention that you don't have a video for directing traffic to firewalls from the fabric? If not, do you have any tips/links/documentation you could share? I'm not quite sure if we actually need this but having some material regarding this would probably help us understand whether or not it's something we'd need in our upcoming project 







  • 3.  RE: Apstra 4.2.1 in eve-ng step-by-step series: Video 2. Prepping Your Lab

     
    Posted 18 days ago
    Edited by Jodi Meier 14 days ago

    You are correct. I have guides on the topic, and would you believe I even have a python script for generating SRX-side peering and policy configuration by pulling data out of Apstra?

    The current 11-part series does not include a section on DC firewalls. This is purposeful as I anticipate this topic to be its own multi-part series. The design considerations for both Apstra and the firewall service block range from simple to complex, each with their own considerations:

    • Layer-2 fabric with layer-3 firewalls
      • Pros: straight-forward routing (L3 gateways on firewalls or split between firewalls and external routers, depending on the requirements)
      • Cons: all east-west routed traffic must hairpin out of the fabric and back in
    • Layer-3 fabric with layer-3 firewalls (firewalls do not support VLXAN inspection or type-5 EVPN routes)
      • Pros: east-west routed traffic that doesn't require policy inspection can forward using the shortest path
      • Cons: complex fabric service chaining to ensure routing through firewall service block. very complex firewall configuration to maintain VRF isolation and support routing from/to fabric
    • Layer-3 fabric with firewalls that support VXLAN inspection and type-5 EVPN routes
      • Pros: east-west routed traffic that doesn't require policy inspection can forward using the shortest path. VRF isolation and inline VXLAN inspection with no VXLAN gateway requirement. Straightforward fabric configuration
      • Cons: complex firewall configuration, but still much easier than the L3 firewall design above

    In all cases, if you have multiple DC's with overlapping subnets, asynchronous flows are a consideration as firewalls in each DC must maintain flow state.

    You mentioned a project? Are you working with a Juniper account team? If so, you can engage me (or our great DC specialist team) through them and we can discuss the different design considerations.

    I'll have to dig a bit to see what material I might be able to share.



    ------------------------------
    Colin Doyle
    Lead BizDev Manager - Security Strategy
    Juniper Networks
    https://www.youtube.com/@5minutejunos
    ------------------------------