06-07-2012 09:55 PM - edited 03-03-2019 06:37 AM
Aparently the Security/Compliance team didn't review my network design before it was submitted and built, and now I have to shoe horn a firewall somewhere there was never supposed to be one.
I have my two current DC Cores (Nexus 5548UP), that currently are Layer 3 only, with no L2 configuration at all. I understand these aren't the best switches for this role, but the BoM was put in place and gear ordered, long before I came onboard, and the DC design had been completed. From these two Cores, i connect directly to a vendor's clustered Fortinet FW, via a /30 from each core to each node of their cluster, and connected via eBGP, one link with a path prepend, due to the vendor not able to figure out how to load balance on their firewall. Due to numerous vendor problems, and lack of knowlege, I cannot get them to change their design in a timely manner, to meet our timelines, and this has to be up yesterday to be PCI compliant (so our security people say) prior to go live in 1 week. The vendor took 3 weeks just to figure out how to aggregate routes to me!.
So I want to drop a transparent pair of firewalls inline on the two links, but due to the Active/Standby limitation of ASA's, I am not sure this will be that easy given the /30 L3 interfaces being used. Secondly the lack of L2 between the two upstream cores may be a concern, at least from past expiriences. I know if I was using some other vendor's clustered FW, this wouldn't be a problem, but I definately don't want to join the Dark side again, or do I have time to procure any other equipment other than the 5520's I currently have laying around. Someone please tell me I have overlooked something simple, and the design listed below will be simple to implement!!!!
Any ideas appreciated!
07-12-2012 09:32 AM
why you don't use this design:
connect the vendor clustered direct to nexus with a vrf instance, then route traffic to asa and then route to nexus whith other vrf istance.
Regards
V.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide