Currently our guest traffic is separated from production traffic using a non routed VLAN at a 6509 core trunked directly to an ASA. Production rides a different VLAN. No routing is needed with guest as its all one broadcast domain.
The business is growing, and we are now looking at creating an 'edge' network that encompasses services such as WAN and firewalls. The core is also changing to 6504s with VSS. Our existing WAN connections were originally just routed ports in our core 6509, but we're also moving them out to redundant WAN routers so we can create tunnels across the WAN and take advantage of other router related features. I'm trying to design a solution that'll work at six separate sites.
Problem I'm running into with this design is how to move the non-routed Guest traffic out to this services edge. The goal would be to have an ASA connect to both WAN routers for redundancy, and have those legs isolated into two pieces. One for guest internet traffic, and one for production management of the firewall as well as production user internet traffic. I would prefer to use EIGRP to dynamically route back to the core. Here's what I've looked at:
Using VRFs to isolate guest and production network.
A VRF would be created on the core 6500 for guest and extended through the WAN routers to end up as a VLAN on the ASA. Production traffic wouldn't use a VRF and would just route as normal.
Problem is the ASA can't use multiple EIGRP instances (i.e. for guest, one for prod), so I'd have to static route either the guest or the production traffic. With a leg to each WAN router, that poses a problem if a router needs to be down for services. Static routes with tracking or weighting might work, but this creates more administrative overhead.
It's an older ASA 5510, and from what I can find, it doesn't support VRFs so I can't extend them into the ASA (though I can use a trunk with VLANs and different security levels). Even if VRFs were viable on these, I still have the EIGRP issue above.
I also thought about using GRE to tunnel from the core 6500 through the WAN routers to the ASA and dump guest traffic directly there (so the WAN routers would basically be transparent), but the ASAs don't support tunnel endpoint termination, so that won't work.
I then looked at multiple context mode but from what I can find dynamic routing protocols aren't supported in those, so I am back to static routes.
I had also considered having a port-channel to the core specifically to carry the guest non-routed traffic, then use routing through the WAN routers for production. This would eat up additional valuable ports in the ASA and still limits flexibility.
I've also considered turning the routers into firewalls in IOS, but I'd rather avoid that process if possible.
What am I missing? Is there another way to have these two networks isolated through this WAN layer and dynamically route for failover? VRFs and ASA/guest architecture are newer concepts for me, so maybe I'm missing something simple.
I've attached two pictures, one is the old/current scenario, one is the new architecture I'm looking at. The multiple links to the routers are meant to show multiple VRFs, not separate phy links, if that makes sense.
Any help/information/insight would be much appreciated! Also, not sure if this should be in 'infrastructure route/switch' or 'security/firewalls'
your core will be vss, and I guess be performing inter vlan-routing - so you could possible apply RACL on the guest svi to negate any communication to the production vlans
Appy an igp such as ospf on the vss linking to your wan routers and on the wan routers which will advertise a default into your lan core and then redistribute the igp into the wan routers bgp
lasty apply PBR or some bgp attributes such as prepending and local preferance for your lan traffic between your wan routers and ISP
Please rate and mark as an accepted solution if you have found any of the information provided useful. This then could assist others on these forums to find a valuable answer and broadens the community’s global network.