Currently I have 3 devices connected like as in attached diagram. FW-1 is now end of life and out of support. I don't want to buy a new firewall for replacement. I want to remove this firewall from production and shift subnet 20.x from this FW-1 to FW-2. There are 50 vlans in internal LAN on Core (Like as 40.x). Currently Core doesn't has default route configured. FW-1 has default route towards FW-2 and also has static-redistribution. Core is learning default route from FW-1 via OSPF. Now I am thinking 2 solutions here:
1. Remove FW-1 from network. Directly connect FW-2 with core switch. Change ip address on FW-2 internal port from 30.2 to 10.2. Create another zone on FW-2 with 20.X subnet. After that FW-2 will have 3 interfaces (10.x, 20.x and 50.x). Now delete OFPF arae id 100 from FW-2 and assign all 3 interface in OSPF area id 20. As I remove FW-1 from production, my core will lost default route because it is learning via OSPF from FW-1. I will configure manually default route in core towards 10.2 (FW-2). Now my entire network will be in OSPF area 20. There would be no area 0 and area 100.
2. Also thinking to remove OSPF from network. Just Remove OSPF from all 3 devices and remove FW-1 from network. Directly connect FW-2 with core switch. Change ip address on FW-2 internal port from 30.2 to 10.2. Create another zone on FW-2 with 20.X subnet. After that FW-2 will have 3 interfaces (10.x, 20.x and 50.x). Define a default route in core towards 10.2 (FW-2) and define all static routes in FW-2 (for all LAN subnet) towards 10.1 (Core) for reverse traffic.
Kindly suggest witch one is better for me and if there is 3rd way also, please let me know. Also if there is anything that I should keep in mind before start this change, kindly let me know. Thanks in advance.
Hello I would opt for option 1, but with a little tweak:
Attach core sw to fw 2 (internal zone fw2)
Change FW2 internal zone interface addressing for core switch and ospf 20 into a stub area
Relocate FW 1 DMZ on to a new zone of FW 2 same addressing same ospf area
The will advertise a default route to core switch and also will allow the same segregation you have now.
Please rate and mark as an accepted solution if you have found any of the information provided useful. This then could assist others on these forums to find a valuable answer and broadens the community’s global network.