I am designing an almost isolated network which consists of a VPN stack (a firewall + router) connects to another firewall which hosts all these VLANs that connects to a layer 2 switch (attached is the raw diagram).
so for routing should I just use default route and send everything behind the firewall (internal subnets) up to the firewall and then up to the stack (which does dynamic routing) or use OSPF on the firewall one area for behind the firewall (internal subnets) and another one in front of it (area 0) which connects to the stack?
also there will be other networks accessing this network through VPN (those connection also will terminate on the VPN stack).
The diagram is not quite clear to me. The "VPN stack" look like a one-arm connected VPN appliance, but not clear to show if it's a site-to-site VPN or remote-access VPN? If it's site-to-site VPN, how many sites are connected? Is the OSPF already been enabled on the "VPN stack" and have OSPF neighbors with other sites?
From your diagram, everything look very simple...(e.g. no resilience path, no resiliecne device, only 1-way-in 1-way-out) I can't see a strong reason to use OSPF on your internal firewall. So, more information is needed.
looks like you only have a single exit from the internal fw to the vpn firewall-rtr as such static default route would be applicable here pointing to the lan interface of the vpn stack because the vpn stack will be dealing with the dynamic routing you wouldn’t need any on the internal fw
However this would then mean the vpn stack would require static or summary routes for your internal lan subnets pointing to you internal fw unless the vpn stack is performing NAT
So if you don’t won’t to mess around with static routing the simple ospf stub area peering between the vpn stack and the internal fw would be applicable so the vpn stack would advertise a default route into the stub area of the internal fw and at the same time dynamically learn the lan subnets
example: vpn stack wan interface- ospf area0 lan interface-opsf area1 stub no summary
internal fw wan interface-ospf area1 stub advertise lan subnets
kind regards Paul
Please rate and mark posts accordingly if you have found any of the information provided useful. It will hopefully assist others with similar issues in the future
The cat's out of the bag! In October 2020, Cisco announced the Next Generation of Enterprising Routing Platforms: the Catalyst 8000 Edge Platforms Family including the Catalyst 8200, Catalyst 8300, Catalyst 8500, and Catalyst 8000V. The new family of Cats...
Community Live- Smart Licensing Using Policy (Routing) – A Simplified Licensing Approach
(Live event - Tuesday, 18 May, 2021 at 9:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)
This event will have place on Tuesday 18th, May 2021 at 9:00 hrs PDT&nb...
Welcome to the overview guide that covers the latest in Cisco Networking and Data Center innovations and new product introductions. You'll find information on Intent Based Networking updates, special promotions and free trials, as well as exclusive upcom...
Listen: https://smarturl.it/CCRS8E13 99% of organizations use certifications to make hiring decisions. The reason is simple: Cisco certifications bring valuable, measurable rewards to certified IT professionals and the organizations that employ them....
Cisco AI Endpoint Analytics – Deployment guide
This deployment guide is meant for Cisco AI Endpoint Analytics adoption for customers, partners and everyone focusing on Endpoint Visibility and to how achieve it with Endpoint Analytics. It has sections that...