Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3562
Views
5
Helpful
18
Replies

Edge Firewalls...Routing protocol or No?

Go to solution
Steven Williams
Level 4
Level 4

‎12-27-2017 09:37 AM - edited ‎02-21-2020 07:02 AM

I think there are difference of opinions out there, so I'd like to ask the question...Firewalls, specifically the edge firewalls, routing protocol or not?

 

In a scenario of:

 

                                                          L2 SW -> DMZ Server Farm   

                                                             |

                                                             |

ISP -> Router -> L2 SW -> Edge FW -> Core -> Core FW -> Server Agg Layer -> Server Farm.

 

So things I don't understand or have concerns on:

 

1. The ISP will run BGP between each other. So between the router and the Edge FW's I would think to run something like OSPF, if dynamic routing protocol would be chosen to run on the FW. In that space would you run public IP space or private IP space?

 

2. My core switches are Cat9ks not in a VSS (because it is not supported yet on my models), but also never will be. Rather using routing to decide failover and also leverage ECMP. What I struggle with is would you physically connect each Core switch to each FW in an HA pair Active/Standby? Or connect the core switches to the FW's on a 1 to 1 basis? Core 1 -> FW1 Core 2 -> FW2? My concern with this if a down stream core switch to the active FW fails the HA pair will failover when really there was nothing wrong with the active firewall. Maybe this is ok.

 

Thoughts?

Labels:
0 Helpful
18 Replies 18

Go to solution
Steven Williams
Level 4
Level 4
In response to Francesco Molino

‎12-28-2017 10:51 AM

Ill have to run OSPF from the Cat9k to the PAs, then PAs to the edge routers. I did something similar a few years back and made everything north of the firewalls area 1 and everything below area 0. I can't remember why I did it though. 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Steven Williams

‎12-28-2017 10:53 AM

Ok perfect. If they're not in the same area, it will be easier to filter route distribution.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to Francesco Molino

‎12-28-2017 10:54 AM

I assume that was it, it was slight different design and had many more "challenges" as it was a heavy PCI environment. 

 

Thanks for the conversation and input. 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Steven Williams

‎12-28-2017 10:55 AM

You're welcome and glad I answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card