Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
0
Helpful
6
Replies

WAN architecture

Jerome C.
Level 1
Level 1

‎03-07-2018 12:15 AM - edited ‎03-05-2019 10:02 AM

Hello

I would like to have your opinion.

 

We will deploy a new site. On this site, I will have a CPE router provided by our network provider. We plan to connect behind this CPE router, our Cisco router (ISR4331) and PaloAlto firewalls (cluster with 2 nodes).

 

Currently, I have no switch between our Cisco router (ISR4331) and our firewalls. Is-it mandatory to invest in a swtich to be able to connect our router and our PaloAlto firewalls or is-it possible to make a direct connecion between Cisco's router and our FW  cluster configured in actif/actif mode ?

 

BR

Labels:
0 Helpful
6 Replies 6

Julio E. Moisa
VIP Alumni
VIP Alumni

‎03-07-2018 02:08 AM - edited ‎03-07-2018 02:10 AM

Hi

I think you could discard the Router and install a switch or stack of switches (to avoid point of failures on your side) instead, it should be like:

 

                                         Firewall (active)

                                      / 

ISP Device ---- Switch         (cluster of firewalls)

                                      \

                                        Firewall (active or standby)   

 

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Jerome C.
Level 1
Level 1
In response to Julio E. Moisa

‎03-12-2018 10:31 AM

Hello

 

Thank's. But in my case, I would like to avoid to add switch or stack of switch. I haven't these equipments avalaible.

 

My question is to know if we can do the same approch but to connect directly the FW1_eth1 on the Gi1/0/1 of the router, and FW2_eth1 on G1/0/2 as described in the following picture. If the FW1 is down, the trafic goes to FW2 through the Gi1/0/2 interface..

 

BR

Arch.jpg

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jerome C.

‎03-12-2018 11:20 AM

In general IOS routers will not allow you to configure 192.0.1.2 on one interface and 192.0.1.3 on another interface. The IOS would complain about overlapping addresses. There is an option that you may consider to achieve what you want which is to connect the two firewalls to two router interfaces. If you configure Integrated Routing and Bridging with the two router interfaces then you could connect the firewalls to the two router interfaces and achieve the redundancy that you want. With IRB you configure bridging on the two router interfaces, do not configure an IP directly on the router interface and configure a BVI interface which gets the IP address. You would not need the second IP address configured on the router. The BVI is a virtual interface and the address configured on it can be reached by either of the two physical interfaces.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Jerome C.

‎03-12-2018 11:21 AM

Hi

Yes you could do that, my sugestion is implement BVI on the router, the following link could be useful:

https://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/200650-Understanding-Bridge-Virtual-Interface.html

So 2 interfaces on the router will be merged to be 1, so you can configure 1 IP address on the router to enable communication between these devices.

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Jerome C.
Level 1
Level 1
In response to Julio E. Moisa

‎03-14-2018 09:23 AM

Hello

 

My configuration is not working. Find here the current diagram for our configuration and the Cisco's configuration deployed on my ISR4331. From my router, I can't ping 10.241.74.209 and from my FW, 10.241.74.212 is unreachable. The vlan used to connect FW and Cisco 10.241.74.208/29 is tagged 626...

 

Cisco configuration :

-----------------

interface GigabitEthernet0/0/0
no ip address
negotiation auto
service instance 100 ethernet
encapsulation dot1q 626
bridge-domain 100
!
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
service instance 100 ethernet
encapsulation dot1q 626
bridge-domain 100
!
interface BDI100
ip address 10.241.74.212 255.255.255.248

!

 

Arch.jpgBR

Jerome

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jerome C.

‎03-14-2018 03:21 PM

Jerome

 

I am a bit unclear about what you have done and the config that you posted. You describe the vlan used to connect FW to router as tagged 626. This implies connection through a switch on a trunk port. But the diagram shows a direct connection from FW to router. Who is doing the tagging?

 

If the Ethernet frames arriving on the router interface are in fact tagged then your configuration needs to address the tagging. It might look something like this

interface GigabitEthernet0/0/0

no ip address

negotiation auto

service instance 100 ethernet

encapsulation dot1q 626

rewrite ingress tag pop 1 symmetric

bridge-domain 100

 

Here is a link which has information about using BDI. I hope you find it useful

https://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/200650-Understanding-Bridge-Virtual-Interface.html?dtid=osscdc000283

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents