Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
5
Helpful
3
Replies

OSPF without area 0

Harmeet Singh
Level 1
Level 1

‎01-16-2021 03:11 AM

Currently I have 3 devices connected like as in attached diagram. FW-1 is now end of life and out of support. I don't want to buy a new firewall for replacement. I want to remove this firewall from production and shift subnet 20.x from this FW-1 to FW-2. There are 50 vlans in internal LAN on Core (Like as 40.x). Currently Core doesn't has default route configured. FW-1 has default route towards FW-2 and also has static-redistribution. Core is learning default route from FW-1 via OSPF. Now I am thinking 2 solutions here:

 

1. Remove FW-1 from network. Directly connect FW-2 with core switch. Change ip address on FW-2 internal port from 30.2 to 10.2. Create another zone on FW-2 with 20.X subnet. After that FW-2 will have 3 interfaces (10.x, 20.x and 50.x). Now delete OFPF arae id 100 from FW-2 and assign all 3 interface in OSPF area id 20. As I remove FW-1 from production, my core will lost default route because it is learning via OSPF from FW-1. I will configure manually default route in core towards 10.2 (FW-2). Now my entire network will be in OSPF area 20. There would be no area 0 and area 100.

 

2. Also thinking to remove OSPF from network. Just Remove OSPF from all 3 devices and remove FW-1 from network. Directly connect FW-2 with core switch. Change ip address on FW-2 internal port from 30.2 to 10.2. Create another zone on FW-2 with 20.X subnet. After that FW-2 will have 3 interfaces (10.x, 20.x and 50.x). Define a default route in core towards 10.2 (FW-2) and define all static routes in FW-2 (for all LAN subnet) towards 10.1 (Core) for reverse traffic.

 

Kindly suggest witch one is better for me and if there is 3rd way also, please let me know. Also if there is anything that I should keep in mind before start this change, kindly let me know. Thanks in advance.

Labels:
Preview file
66 KB
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎01-16-2021 05:02 AM

As per the diagram, this is not a big network(i feel),  if you do not multiple exit points and there is no dynamic routing required if you have only 1 exit point.

 

So you can bring design all to FW2 connected to Core Switch - 

 

keep the same zone

 

Internal Zone

External Zone

DMZ Zone ( you did not mention FW2 ( DMZ zone what area belong to  ?)

 

with a bit of small downtime, you can achieve this, to remove your FW1 (moving those interface to FW2 and moving Physical or logical changes on Switch)

 

Hope no other devices hidden here?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎01-16-2021 05:09 AM

Hello,

 

what is the purpose of the DMZ ? This is typically for things like web servers etc. that need to be accessible from the outside. Do you need to keep this in the new design ?

0 Helpful

paul driver
VIP
VIP

‎01-17-2021 06:46 AM - edited ‎01-17-2021 06:48 AM

Hello
I would opt for option 1, but with a little tweak:

  1. Remove FW1
  2. Attach core sw to fw 2 (internal zone fw2)
  3. Change FW2 internal zone interface addressing for core switch and  ospf 20 into a stub area
  4. Relocate FW 1 DMZ on to a new zone of FW 2 same addressing same ospf area

The will advertise a default route to core switch and also will allow the same segregation you have now.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card