I have a border security/EDGE design question. Attached is my Network.
I have 2 x 7606 routers each with sup720-3bXL accepting 2 BGP Full IP feeds each advertising a /22 PI address space.
All 1Gbps links between routers/switches.
I have 2 x 6506 with sup720-3b and FWSM in each serving as the Data Center core.
The FWSMs are running in active/active failover, each has an active context and do Nating for specific networks.
Also, each 6506 has its own default route that points to its FWSM as the default gateway (so I can make full use of each firewall).
The FWSM has an active context on each which has 2 default gateway static routes with different metrics.
For inbound traffic, the 7606 routers have static routes that point to each FWSM on the 6506's for specific networks that each FWSM NATs,
to prevent asymetric routing off the FWSMs.
My question is, how can I optimize my edge layer?
1. Even if my firewalls werent running in active/active context, how do I properly setup connectivity between the 7606's and the FWSMs?
meaning Cisco says a default route from the firewall is mainly used, but what if you have a situation like this where 2 edge routers are used,
other than what i have implemented on my diagram, how do you efficiently make use of both routers?
2. Does HSRP/GLBP make sense on the 7606's?
3. Routing in the core does not utilize the FWSMs other than traffic destined for external networks, does it make any sense to move fwsm into 7606's? currently
traffic has to pass through thr fwsm before it touches the msfc. I have FWSM external ports facing the 7606. If traffic is allowed, it gets forwared to the layer 3 switch.
Anyone that has time to answer these questions and critique, I will be most grateful as this is the way to master data center routing/switching design, from you guys!
"there is no option for running OSPF in Active/Active"
Good point and something i had overlooked. You can only run a dynamic routing protocol in single context mode.
You could have 2 equal cost paths from each FWSM to each 7600 although i would like to test this to make sure it did indeed work as expected.
You could move the FWSM back behind the MSFC so that the 6500's could peer with the 7600's but i wouldn't recommend this without knowing what else was routing on the 6500. And this is prone to errors in configuration.
Finally you could run the FWSM's in transparent mode and peer the MSFC's on the 6500's with the 7600's.
Overall though i think what you have will be fine unless you notice that some of the links are getting overutilised.