Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
7214
Views
0
Helpful
2
Replies

Help routing with dual connections to 1 ISP, 2 routers, 2 firewalls

Go to solution
mikemoore72
Level 1
Level 1

ā€Ž10-10-2012 08:36 AM - last edited on ā€Ž03-25-2019 03:06 PM by Community Manager

My company is moving to a new office building and has ordered redundant Internet connections through the same ISP.  I have not had the chance to speak to the ISP vendor, but from what I have been told they expect us to participate in BGP since we will require load-balancing and high availability for inbound web traffic.  My limited experience with BGP has been in a lab environment.  The company has already purchased the two routers and two ASAs.  We have a block of public IP addresses. 

My objectives are to

1.  Allow internal users to get out to the Internet
2.  Allow outside users to browse our public web site.
3.  Configure the routers and ASAs in such a way that if any one device fails or one of the Internet connections goes down, business will continue as usual.

Below are just some of my questions to help me ensure I am heading down the correct path:

--Will the IP addresses on the point-to-point links between our routers and the ISP come from our block of IP addresses, or will they be separate /30 links that the ISP provides?  (Again, I have not had a chance to speak to the vendor) 

--Will the iBGP link "A" require the use of public IP addresses or can private IPs be used?  Besides configuring iBGP on these routers, is a First Hop Redundancy Protocol configured here as well?

--Should there be routed links between R1 and FW2, and R2 and FW1?  Does that overly complicate the design without any real value added?

--Would OSPF or EIGRP typically be configured for links B, C & D to enable the redundancy desired between the firewalls and routers?

--What is the best practice for determining outbound traffic flow from the layer 3 switches (6509s configured as a VSS) to the two ASAs?

Any assistance is greatly appreciated.

Mike

2rtr1isp.jpg

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

ā€Ž10-13-2012 03:24 AM

Hi there

first of all you need in your design to me sure that traffic flow inbound  and outbound to be aligned end to end

answeres to your questions are per below:

--Will the IP addresses on the point-to-point links between our routers and the ISP come from our block of IP addresses, or will they be separate /30 links that the ISP provides?  (Again, I have not had a chance to speak to the vendor)

No dose not need and ask the ISP to provide you with their own IPs for the p2p links ( to avoid wasting your public IPs )

--Will the iBGP link "A" require the use of public IP addresses or can private IPs be used?  Besides configuring iBGP on these routers, is a First Hop Redundancy Protocol configured here as well?

No you can use private IPs

--Should there be routed links between R1 and FW2, and R2 and FW1?  Does that overly complicate the design without any real value added?

it is better here to use a L2 shared VLAN ( switch ) for those interfaces to get FHRP of the routers and failover of the FWs working as expected

--Would OSPF or EIGRP typically be configured for links B, C & D to enable the redundancy desired between the firewalls and routers?

if you are using HSRP/VRRP between the routers and using failover between the FWs then using a shared L2 vlan as suggested above will be required without IGP such as EIGRP also the link between the firewalls used for FW failover is not like the one used between the routers "dose not need routing"

--What is the best practice for determining outbound traffic flow from the layer 3 switches (6509s configured as a VSS) to the two ASAs?

if you put the ASA FWs in failover mode then the IP address of th eprimary/active ASA FW will be used for your static routes in the L3 switches to point to and this IP will be used by the secondary FW in the case of failover situation "transparent and automatic "

hope this help

if helpful rate

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

ā€Ž10-13-2012 03:24 AM

Hi there

first of all you need in your design to me sure that traffic flow inbound  and outbound to be aligned end to end

answeres to your questions are per below:

--Will the IP addresses on the point-to-point links between our routers and the ISP come from our block of IP addresses, or will they be separate /30 links that the ISP provides?  (Again, I have not had a chance to speak to the vendor)

No dose not need and ask the ISP to provide you with their own IPs for the p2p links ( to avoid wasting your public IPs )

--Will the iBGP link "A" require the use of public IP addresses or can private IPs be used?  Besides configuring iBGP on these routers, is a First Hop Redundancy Protocol configured here as well?

No you can use private IPs

--Should there be routed links between R1 and FW2, and R2 and FW1?  Does that overly complicate the design without any real value added?

it is better here to use a L2 shared VLAN ( switch ) for those interfaces to get FHRP of the routers and failover of the FWs working as expected

--Would OSPF or EIGRP typically be configured for links B, C & D to enable the redundancy desired between the firewalls and routers?

if you are using HSRP/VRRP between the routers and using failover between the FWs then using a shared L2 vlan as suggested above will be required without IGP such as EIGRP also the link between the firewalls used for FW failover is not like the one used between the routers "dose not need routing"

--What is the best practice for determining outbound traffic flow from the layer 3 switches (6509s configured as a VSS) to the two ASAs?

if you put the ASA FWs in failover mode then the IP address of th eprimary/active ASA FW will be used for your static routes in the L3 switches to point to and this IP will be used by the secondary FW in the case of failover situation "transparent and automatic "

hope this help

if helpful rate

0 Helpful

Go to solution
Mohamed Misbah
Level 1
Level 1
In response to Marwan ALshawi

ā€Ž04-27-2019 05:39 AM

Please help me with the Firewall configuration and L3 switch configuration

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents