Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
10
Helpful
4
Replies

FTD Site to Site Design Advice

chris_funa
Level 1
Level 1

‎12-16-2021 06:57 AM

Good morning everyone!

I've been tasked with figuring out a potential design utilizing Cisco FTD devices. Currently, there are a small handful of firewalls set up with crypto maps to a hub site. We are going to introduce two more sites into this. One of these sites we'd like to set up as a secondary hub for some basic resiliency.

Each site will have dual ISPs (The same ISP for primary and some cheap broadband for backup). Two or three sites will have FTDs set up in an active/passive pair. Backup ISPs will be tracked via IP SLA.

My initial idea is to switch to VTI based tunnels and run BGP over it, while using some IGP for routes between the core switches and the firewalls at each site. I would also set up a tunnel per remote site on each hub per ISP connection. I was going to use path-preference for route manipulation (if needed).

Going with this sort of design would result in 2 tunnels per remote site on each hub and two tunnels per hub on each remote site. That means 12 tunnels on the hubs and 4 tunnels on the remote sites.

I don't think the number of tunnels is going to be hard to manage, but I'm worried that something isn't going to work properly.

I'm aware the future method of doing this would be some sort of SD-WAN deployment, but we'd like not to spend on new devices.

I'm coming from a DMVPN network which was rock solid and worked super well. Too bad ASA/FTD doesn't support DMVPN. I'm hoping for a similar set up, but without dynamic spoke to spoke tunnel creation.

As I now understand it, FMC 7.1  supports backup VTIs.

 

Would it be better to go with a full mesh design with backup VTIs and use a single BGP AS? Should we use full mesh and each site have each own AS? Should I ditch the idea of using EIGRP or OSPF between the core and the firewall and just use BGP? 

What are your thoughts on this?

 

Thanks for the help!

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎12-16-2021 10:46 AM

@chris_funa certainly each of your suggestions would work. A route based VPN is faster failover, but doesn't scale as well, compared to policy based VPN with dynamic crypto map which scales better but slower failover.

 

Ultimately it just a matter of preference. 

 

Refer to this cisco live presentation, which compares policy vs routed based VPN.

https://www.ciscolive.com/on-demand/on-demand-library.html?search=vpn&search.event=1636046385175002FlR0&search=vpn#/session/16360601747950017lxt

 

chris_funa
Level 1
Level 1
In response to Rob Ingram

‎12-16-2021 12:46 PM

Thank you so much!


Any advise on the routing protocol choices if I was to go with a full route based mesh?

 

At this point I have these options, right?

  1. Use IBGP company wide, all core switches and firewalls have the same AS
  2. Use IBGP for the firewalls and EIGRP for the core to firewall
  3. Use EBGP between the firewalls and have one AS per site, with the core switch to firewall in one AS
  4. Use EBGP between the firewalls only and use EIGRP between the firewalls and the core switches

My initial reaction is to use multiple AS extending down to the core. Would make routing a bit more simple as we would only have to manage one routing protocol. Only complication with this is that we'd have to neighbor with every AS. 

0 Helpful

Rob Ingram
VIP
VIP
In response to chris_funa

‎12-16-2021 12:58 PM

Well the examples in the CL presentation uses iBGP on the VPNs, so I'd go with that.

Between the Core and the Firewalls, go with BGP as well to keep things simple.

chris_funa
Level 1
Level 1
In response to Rob Ingram

‎12-16-2021 01:20 PM

Thanks! I apologize, I replied to you before consuming the presentation. 

0 Helpful
Customers Also Viewed These Support Documents