12-27-2017 09:37 AM - edited 02-21-2020 07:02 AM
I think there are difference of opinions out there, so I'd like to ask the question...Firewalls, specifically the edge firewalls, routing protocol or not?
In a scenario of:
L2 SW -> DMZ Server Farm
|
|
ISP -> Router -> L2 SW -> Edge FW -> Core -> Core FW -> Server Agg Layer -> Server Farm.
So things I don't understand or have concerns on:
1. The ISP will run BGP between each other. So between the router and the Edge FW's I would think to run something like OSPF, if dynamic routing protocol would be chosen to run on the FW. In that space would you run public IP space or private IP space?
2. My core switches are Cat9ks not in a VSS (because it is not supported yet on my models), but also never will be. Rather using routing to decide failover and also leverage ECMP. What I struggle with is would you physically connect each Core switch to each FW in an HA pair Active/Standby? Or connect the core switches to the FW's on a 1 to 1 basis? Core 1 -> FW1 Core 2 -> FW2? My concern with this if a down stream core switch to the active FW fails the HA pair will failover when really there was nothing wrong with the active firewall. Maybe this is ok.
Thoughts?
Solved! Go to Solution.
12-28-2017 10:51 AM
Ill have to run OSPF from the Cat9k to the PAs, then PAs to the edge routers. I did something similar a few years back and made everything north of the firewalls area 1 and everything below area 0. I can't remember why I did it though.
12-28-2017 10:53 AM
12-28-2017 10:54 AM
I assume that was it, it was slight different design and had many more "challenges" as it was a heavy PCI environment.
Thanks for the conversation and input.
12-28-2017 10:55 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide