Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
962
Views
1
Helpful
3
Replies

Designing a Campus Internet Edge

Ex-Engineer1968
Level 1
Level 1

‎10-24-2024 07:20 AM - edited ‎10-24-2024 07:22 AM

Hello, everyone. Thank you ahead of time for your attention and sharing your expertise. Greatly appreciated! 

It’s been a while since I designed an Internet edge… so many ways to approach it.

I have 2 ISPs, 2 collapsed core L3 Cisco 9500 switches, and 2 firewalls that can run BGP and OSPF.

I could use static routes and keep it simple or run routing protocols.

Or I can do this to create a dynamic failover of what are basically 2 separate/independent paths to their respective ISPs. But traffic will always go out the primary ISP unless that connection fails.

I would have liked to embed the drawing in the dialogue box, but it only allows me to attach! Sorry! 

Does what I wrote below make sense? Are my assumptions correct?

Please bring up drawing so that you can follow along. 

ISP-1 PATH – INBOUND CONTROL PLANE/OUTBOUND DATA PLANE

  • ISP-1 advertises a default route to L3 switch-1 using eBGP
  • L3 Switch-1 and L3 Switch-2 do an iBGP peering. At L3 Switch-1, we configure Local Pref of 200 for default route learned from ISP-1. That gets passed onto L3 Switch-2 via iBGP.

DATA PLANE NOTE: So, any outbound traffic going out to the Internet that reaches L3 Switch-2, will be forwarded to L3 Switch-1.

  • L3 switch-1 redistributes default route into OSPF (default originate command?) and into FW-ACT-1. The next hop for the default route would be an interface on the L3 switch
  • FW-ACT-1 passes the default route via OSPF to Core 1. Since there is no OSPF adjacency between Core 1 and Core 2, each core switch will only have the route it learned from its northbound FW. BUT, in the event that the dynamic default route is lost because of a northbound failure, Core 1 SHOULD have a default static pointing to Core 2 (adjust AD to 200).
  • So, any traffic received at Core 1 destined for the Internet will go northbound to FW-ACT-1.

 

ISP-2 PATH INBOUND CONTROL PLANE/OUTBOUND DATA PLANE

  • ISP-2 advertises a default route to L3 switch-2 using eBGP
  • L3 Switch-2 learns about default route and Local pref from L3 Switch-1 via iBGP peering. 

DATA PLANE NOTE: So, any outbound traffic going out to the Internet that reaches L3 Switch-2, will be forwarded to L3 Switch-1.

  • L3 switch-2 redistributes default route into OSPF (default originate command?) – Next hop for default route would be an interface on the L3 switch
  • FW-ACT-2 passes the default route via OSPF to Core 2. Since there is no OSPF adjacency between Core 1 and Core 2, each core switch will only have the route it learned from its northbound FW. BUT, in the event that the dynamic default route is lost because of a northbound failure, Core 2 SHOULD have a default static pointing to Core 2 (Adjust AD to 200).
  • So, any traffic received at Core 2 destined for the Internet will go northbound to FW-ACT-2.

Does this make sense? Are my assumptions correct?

 

Preview file
62 KB
0 Helpful
3 Replies 3

ex-engineer
Level 1
Level 1

‎11-07-2024 10:59 AM

I cant believe that no one had any input on this. This is such a meat-and-potatoes topic for Cisco folks. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to ex-engineer

‎11-09-2024 03:33 AM

1 (1).jpg

check these points

MHM

 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to ex-engineer

‎11-09-2024 05:39 AM 

I cant believe that no one had any input on this. This is such a meat-and-potatoes topic for Cisco folks.

This is Cisco community - Not consulting service or cisco TAC, so you need to wait for the other community member read and address correctly.

As per the high level your Logical diagram should work as expected, if all physical connection are connected as expected.

that is standard setup most campus network uses - my suggestion as below.

1. Regarding failover - its all depends on what you looking to achieve, both possible use both ISP active and Active passive (is the both ISP same or different providers ?)

2. If the BGP your control with your Own IP Block then you can do what ever you like to play as long both ISP accept your IP subnet and announce in the AS. 

3. If the Firewalls are capable of running BGP then i will avoid switch between FW and Provider Router (that switch can be Layer2)

4. Are you looking Firewall Active /Active, then you need to Look Your Core need to make decision what Traffic need to go each Firewall out and maintain the path, until any path failure then failover based on the Traffic engineering you like to do, this required testing based on the config and product support.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents