Solved: Help routing with dual connections to 1 ISP, 2 routers, 2 firewalls

mikemoore72 · ‎10-10-2012

My company is moving to a new office building and has ordered redundant Internet connections through the same ISP. I have not had the chance to speak to the ISP vendor, but from what I have been told they expect us to participate in BGP since we will require load-balancing and high availability for inbound web traffic. My limited experience with BGP has been in a lab environment. The company has already purchased the two routers and two ASAs. We have a block of public IP addresses.

My objectives are to

1. Allow internal users to get out to the Internet
2. Allow outside users to browse our public web site.
3. Configure the routers and ASAs in such a way that if any one device fails or one of the Internet connections goes down, business will continue as usual.

Below are just some of my questions to help me ensure I am heading down the correct path:

--Will the IP addresses on the point-to-point links between our routers and the ISP come from our block of IP addresses, or will they be separate /30 links that the ISP provides? (Again, I have not had a chance to speak to the vendor)

--Will the iBGP link "A" require the use of public IP addresses or can private IPs be used? Besides configuring iBGP on these routers, is a First Hop Redundancy Protocol configured here as well?

--Should there be routed links between R1 and FW2, and R2 and FW1? Does that overly complicate the design without any real value added?

--Would OSPF or EIGRP typically be configured for links B, C & D to enable the redundancy desired between the firewalls and routers?

--What is the best practice for determining outbound traffic flow from the layer 3 switches (6509s configured as a VSS) to the two ASAs?

Any assistance is greatly appreciated.

Mike

Marwan ALshawi · ‎10-13-2012

Hi there

first of all you need in your design to me sure that traffic flow inbound and outbound to be aligned end to end

answeres to your questions are per below:

--Will the IP addresses on the point-to-point links between our routers and the ISP come from our block of IP addresses, or will they be separate /30 links that the ISP provides? (Again, I have not had a chance to speak to the vendor)

No dose not need and ask the ISP to provide you with their own IPs for the p2p links ( to avoid wasting your public IPs )

--Will the iBGP link "A" require the use of public IP addresses or can private IPs be used? Besides configuring iBGP on these routers, is a First Hop Redundancy Protocol configured here as well?

No you can use private IPs

--Should there be routed links between R1 and FW2, and R2 and FW1? Does that overly complicate the design without any real value added?

it is better here to use a L2 shared VLAN ( switch ) for those interfaces to get FHRP of the routers and failover of the FWs working as expected

--Would OSPF or EIGRP typically be configured for links B, C & D to enable the redundancy desired between the firewalls and routers?

if you are using HSRP/VRRP between the routers and using failover between the FWs then using a shared L2 vlan as suggested above will be required without IGP such as EIGRP also the link between the firewalls used for FW failover is not like the one used between the routers "dose not need routing"

--What is the best practice for determining outbound traffic flow from the layer 3 switches (6509s configured as a VSS) to the two ASAs?

if you put the ASA FWs in failover mode then the IP address of th eprimary/active ASA FW will be used for your static routes in the L3 switches to point to and this IP will be used by the secondary FW in the case of failover situation "transparent and automatic "

hope this help

if helpful rate

View solution in original post

Marwan ALshawi · ‎10-13-2012

Hi there

first of all you need in your design to me sure that traffic flow inbound and outbound to be aligned end to end

answeres to your questions are per below:

--Will the IP addresses on the point-to-point links between our routers and the ISP come from our block of IP addresses, or will they be separate /30 links that the ISP provides? (Again, I have not had a chance to speak to the vendor)

No dose not need and ask the ISP to provide you with their own IPs for the p2p links ( to avoid wasting your public IPs )

--Will the iBGP link "A" require the use of public IP addresses or can private IPs be used? Besides configuring iBGP on these routers, is a First Hop Redundancy Protocol configured here as well?

No you can use private IPs

--Should there be routed links between R1 and FW2, and R2 and FW1? Does that overly complicate the design without any real value added?

it is better here to use a L2 shared VLAN ( switch ) for those interfaces to get FHRP of the routers and failover of the FWs working as expected

--Would OSPF or EIGRP typically be configured for links B, C & D to enable the redundancy desired between the firewalls and routers?

if you are using HSRP/VRRP between the routers and using failover between the FWs then using a shared L2 vlan as suggested above will be required without IGP such as EIGRP also the link between the firewalls used for FW failover is not like the one used between the routers "dose not need routing"

--What is the best practice for determining outbound traffic flow from the layer 3 switches (6509s configured as a VSS) to the two ASAs?

if you put the ASA FWs in failover mode then the IP address of th eprimary/active ASA FW will be used for your static routes in the L3 switches to point to and this IP will be used by the secondary FW in the case of failover situation "transparent and automatic "

hope this help

if helpful rate

Mohamed Misbah · ‎04-27-2019

Please help me with the Firewall configuration and L3 switch configuration