Thank youFrank

fsebera · ‎09-15-2015

We are looking to purchase at least two Cisco 6500 series switches with the latest sup engines as-well-as the Cisco ASA service modules.

My question is, could we have the all of the following in the same box and place this setup at the perimeter?

BGP routing with the full internet routing table of about 550k prefixes
OSPF for internal routing
Redistribution from OSPF into BGP (public OSPF prefixes to BGP)
Routed multi-context mode for our multiple separate dmz environments
AnyConnect VPN client termination in a separate context
AND potentially setup in an active/active cluster

Thank you

Frank

Vibhor Amrodia · ‎09-17-2015

Hi,

I think BGP with full routing table is not officially supported but depends on the resources on the box so should work.

The only other thing is the Anyconnect support on Multiple Context is not supported but is in on roadmap for future version:- https://tools.cisco.com/bugsearch/bug/CSCsm17507/?reffering_site=dumpcr

And without Multiple context , you would not be able to use the Active/Active Failover.

Thanks and Regards,

Vibhor Amrodia

fsebera · ‎09-17-2015

Hi Vibhor,

Thank you

For clarity - I envision this setup like this - the 6500 Sup720 with maximum DRAM would run BGP to interface with the ISP and hold the full internet routing table. BGP would dynamically announce the Default-Network into OSPF and OSPF would announce our internal LANs to BGP. OSPF would run on each virtual context within the ASA SM. OSPF would support our internal LANs. BGP would not be needed on the ASA SM. - I think I stated this incorrectly in my original message.

Are you saying we WILL need to employ the ASA SM multi-context mode to support an active/active setup?

Thank you

Frank

Vibhor Amrodia · ‎09-17-2015

Hi,

Yes , For Active/Active Failover , you need to be in Multiple Context.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91336-pix-activeactive-config.html

Also , to be clear on the requirement:-

EIGRP is supported in multi-context mode. But EIGRP instances cannot form adjacency with each other across shared interfaces because inter-context exchange of multicast traffic is not supported. Yes, ASA will form neighbor ship with other peers.

Thanks and Regards,

Vibhor Amrodia

fsebera · ‎09-19-2015

Hi Vibhor,

This is how I envision this setup,

QUESTION: Does this seem correct?

Border 6500-1 peers with ISP via BGP
Global Routing Table (GRT) will hold BGP prefixes (perhaps full internet routing table)
From GRT, 20 of our remote site BGP prefixes redistribute into OSPF.
DMZ virtual contexts,currently 12 DMZs
- #.#.0.0/24
- #.#.1.0/24
- #.#.2.0/24
- #.#.3.0/24
- etc.
DMZ environments are layer-2 only
Virtual context 1 is the default-gateway for virtual context 1 nodes
Virtual context 2 is the default-gateway for virtual context 2 nodes
Virtual context 3 is the default-gateway for virtual context 3 nodes, etc.
OSPF dynamically generates 0/0 and announces to internal net
OSPF announces each DMZ virtual context net to the internal network (optional)
OSPF nets are also redistributed into BGP and announced to ISP
6500-1 and 6500-2 perform identical functions
6500-1 and 6500-2 peer

Thank you for your assistance

Frank

Vibhor Amrodia · ‎09-19-2015

Hi,

I don't see any problem with this requirement.

I just wanted to make sure that you don't have any peering between the ASA contexts itself.
Thanks and Regards,

Vibhor Amrodia

fsebera · ‎09-20-2015

Thank you

Frank

6500 with ASA Service module, full Internet routing table and OSPF routing