04-29-2014 05:59 PM - edited 03-04-2019 10:52 PM
Hello support community,
I'm hoping that you can provide some advice on some design questions. I'm trying to come up with the best way to setup a highly available, redundant, and secure (from the public) connection between ASR1001, a pair of 3750X, and firewalls. I'm using OSPF as my IGP.
My current design is like this:
On the 3750x, run ospf on 1 x SV1 , and connect the firewalls and ASR on to a layer 2 access port on 3750x, (onto the public access vlan)
On the ASR, use 1 loopback and connect to the 3750x using L3 ports, run ospf on these ports, and redistribute the static loopback or maybe use bridge domain interface instead?
On the firewall, use 1 loopback and connect to the 3750x using L3, run ospf on these ports, and redistribute the static loopback. These connections would terminate on 3750x onto the public or private L2 vlan access ports.
My questions are:
1. What suggestions do you have for a ospf p2p connection between my ASR and a pair of 3750X? considering that ASR is an internet router and data will need to hit the firewall first. Do you have any samples that you can share?
2. Should I go with a single backbone area instead of a multi area design?
3. Would BFD be recommended in this scenario?
I appreciate your tips, please see diagram.
Thanks,
Delmiro
05-07-2014 06:43 PM
does anyone want to take a stab at this? :)..
wondering if there are any articles or like cisco validated designs documents that you can point me to, I would appreciate it.
05-08-2014 08:05 AM
a
05-07-2014 11:36 PM
Hello.
Per the diagram attached, you have only one external connection (I mean ASR), that is why I would suggest not to involve ASR into routing process, as it gives you no profit.
Actually your Firewalls (assume these are ASAs) should run in failover; possibly configured with 3 interfaces - inside, outside, DMZ. If you don't need too much dynamic here, then ASA may have a default static toward ASR and summary static toward VRRP address on 3750. If you want dynamic, you may run 2 OSPF processes on ASAs (inside and outside).
Per your question:
1 - you mustn't have common L3 subnet between ASR and 3750 (unless you run ASA in transparent);
2 - I wouldn't extend internal routing process to ASR, as it might compromise your network (unless you have some specific requirements);
3 - not sure if ASA can participate in BFD.
PS: single ASR doesn't look like redundant node.
05-08-2014 08:06 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide