Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1773
Views
0
Helpful
9
Replies

ASR1001 Configuration

Go to solution
zekebashi
Level 4
Level 4

‎01-14-2016 01:25 PM - edited ‎03-05-2019 03:07 AM

Hello, 

See attached. I'm a novice to the ASR platform and I have a project where the client requested to have the ASR1001 to be placed between their FW(Palo Alto) and their edge switch. I am not sure what role the ASR will play in this topology and was wondering if someone can explain to me why use an ASR in this design. 

Much appreciated. 

Best, ~zK 

Labels:
Preview file
110 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to zekebashi

‎01-26-2016 06:44 AM

Okay, there are no addressing problems then but sorry to keep coming back with questions but why would the client want to do this.

You have a L3 core switch that can connect directly to the firewall.

I cannot see any reason for wanting a router between that switch and the firewall, it really makes no sense unless there is some information you haven't included.

In terms of configuration you simply need to run OSPF on it to peer with the core switch and then, assuming you are not running OSPF on the firewall add a default route to the router pointing to the firewall and generate a default route in OSPF for the core and distribution switches.

The firewall will need routes added for the internal subnets pointing to the router.

Like I say though, I cannot see a reason to do this.

Jon

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to zekebashi

‎01-26-2016 05:42 PM

Core switch you assign IP to peer with router not firewall but apart from that correct.

Bear in mind if the firewall is not running a routing protocol then it probably has routes pointing to the HP next hop IP.

If you insert the router in between then you either need to change all the routes on the firewall or simply use the IP subnet used to connect the firewall to the HP for the router to firewall connection and then use a different IP subnet for the inside interface of the router to the switch.

Jon

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-14-2016 01:33 PM

I have seen implementations which put a router outside of the firewall. Sometimes it is because the Internet connection is some media that the firewall can not handle, but that does not seem to be the case here. Sometimes it is because they want to handle multiple outbound Internet connections, but that does not seem to be the case here. Sometimes it is because the QOS implementation on the router is better than the implementation on the firewall, and not sure if that fits here. Sometimes it is because the router can run a dynamic routing protocol that the firewall does not support, which might possibly be the case here.

You would get a better explanation of what role the ASR will play if you ask the person who created this design.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
zekebashi
Level 4
Level 4
In response to Richard Burts

‎01-22-2016 12:40 PM

Thanks, Rich. 

Assuming that we'd go ahead and go with this design and place the ASR between the FW and the Edge sw, how should we configure the ASR in terms on routing? What type of information should I ask the client to provide me with to config this ASR? 

Thanks in advance. 

Best, ~zK 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to zekebashi

‎01-22-2016 01:58 PM

You really need to know what is the purpose of putting it there.

And one of the key things is the public IP addressing in use.

If you currently have an IP subnet from the outside of your firewall to the ISP then by placing the router in between that same IP subnet will now be used between the router and the ISP.

If that is the only public IP subnet then your NAT has now moved to the router which may well be not what you want.

Before you do anything you need to understand what are the reasons for putting it there and how that fits in with the current IP addressing.

Only then will you know what configuration you should be doing.

Jon

0 Helpful

Go to solution
zekebashi
Level 4
Level 4
In response to Jon Marshall

‎01-25-2016 02:49 PM

Thank you, Jon. 

So, after much discussion with the client, I was able to get better understanding. The ASR will be placed behind the firewall, between the Core switch and the firewall. With that said, what do I need to configure this ASR? Would it possible to provide and example of a config file? 

Much appreciated. 

Best, ~zK 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to zekebashi

‎01-26-2016 06:44 AM

Okay, there are no addressing problems then but sorry to keep coming back with questions but why would the client want to do this.

You have a L3 core switch that can connect directly to the firewall.

I cannot see any reason for wanting a router between that switch and the firewall, it really makes no sense unless there is some information you haven't included.

In terms of configuration you simply need to run OSPF on it to peer with the core switch and then, assuming you are not running OSPF on the firewall add a default route to the router pointing to the firewall and generate a default route in OSPF for the core and distribution switches.

The firewall will need routes added for the internal subnets pointing to the router.

Like I say though, I cannot see a reason to do this.

Jon

0 Helpful

Go to solution
zekebashi
Level 4
Level 4
In response to Jon Marshall

‎01-26-2016 05:29 PM

Thanks for the response, Jon. 

I totally agree with you. I kept asking the same question as why they needed the router between the L3 core sw and the firewall and the answer I got was that they would need some of the features that the ASR offers as they will be using ISR4451 routers are the remote locations. 

Anyhow,  so, I will do the following as I understand it from your post: 

ASR:

     -   Assign IP address to peer with the firewall 

     - Assign IP address to peer with the Core sw 

     - Run OSPF process in area 0 

     - Add default route 0.0.0.0 0.0.0.0 firewall IP

     - Default originate metric E2 

Core sw: 

      - Assign IP address to peer with the firewall 

I hope I got it right. 

Much appreciated. 

Best, ~zK 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to zekebashi

‎01-26-2016 05:42 PM

Core switch you assign IP to peer with router not firewall but apart from that correct.

Bear in mind if the firewall is not running a routing protocol then it probably has routes pointing to the HP next hop IP.

If you insert the router in between then you either need to change all the routes on the firewall or simply use the IP subnet used to connect the firewall to the HP for the router to firewall connection and then use a different IP subnet for the inside interface of the router to the switch.

Jon

0 Helpful

Go to solution
zekebashi
Level 4
Level 4
In response to Jon Marshall

‎01-26-2016 05:49 PM

Sorry, that was a typo on my part. 

Core sw:  

     - Assign IP address to peer with the ASR 

Yes, the plan is to use the same IP subnet  which is currently used to connect the firewall to the HP and to l use a different subnet for the inside interface of the router to the sw. 

Thank you so much for your assistance. You've been a life saver for me. 

I;ll post "Lessons Learned" post install so others can benefit from this project. 

Best, ~zK 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to zekebashi

‎01-26-2016 05:55 PM

No problem at all, glad to help.

Jon

0 Helpful
Customers Also Viewed These Support Documents