03-13-2008 06:31 PM - edited 03-05-2019 09:45 PM
I have a border security/EDGE design question. Attached is my Network.
I have 2 x 7606 routers each with sup720-3bXL accepting 2 BGP Full IP feeds each advertising a /22 PI address space.
All 1Gbps links between routers/switches.
I have 2 x 6506 with sup720-3b and FWSM in each serving as the Data Center core.
The FWSMs are running in active/active failover, each has an active context and do Nating for specific networks.
Also, each 6506 has its own default route that points to its FWSM as the default gateway (so I can make full use of each firewall).
The FWSM has an active context on each which has 2 default gateway static routes with different metrics.
For inbound traffic, the 7606 routers have static routes that point to each FWSM on the 6506's for specific networks that each FWSM NATs,
to prevent asymetric routing off the FWSMs.
My question is, how can I optimize my edge layer?
1. Even if my firewalls werent running in active/active context, how do I properly setup connectivity between the 7606's and the FWSMs?
meaning Cisco says a default route from the firewall is mainly used, but what if you have a situation like this where 2 edge routers are used,
other than what i have implemented on my diagram, how do you efficiently make use of both routers?
2. Does HSRP/GLBP make sense on the 7606's?
3. Routing in the core does not utilize the FWSMs other than traffic destined for external networks, does it make any sense to move fwsm into 7606's? currently
traffic has to pass through thr fwsm before it touches the msfc. I have FWSM external ports facing the 7606. If traffic is allowed, it gets forwared to the layer 3 switch.
Anyone that has time to answer these questions and critique, I will be most grateful as this is the way to master data center routing/switching design, from you guys!
Solved! Go to Solution.
03-14-2008 08:02 AM
"there is no option for running OSPF in Active/Active"
Good point and something i had overlooked. You can only run a dynamic routing protocol in single context mode.
You could have 2 equal cost paths from each FWSM to each 7600 although i would like to test this to make sure it did indeed work as expected.
You could move the FWSM back behind the MSFC so that the 6500's could peer with the 7600's but i wouldn't recommend this without knowing what else was routing on the 6500. And this is prone to errors in configuration.
Finally you could run the FWSM's in transparent mode and peer the MSFC's on the 6500's with the 7600's.
Overall though i think what you have will be fine unless you notice that some of the links are getting overutilised.
Jon
03-13-2008 06:33 PM
03-14-2008 12:48 AM
Hi
1) You can run a routing protocol between your FWSM's and the 7600 router if you want to use both paths. The FWSM's will paticipate in OSPF so you could redistribute BGP into OSPF or a better choice advertise 2 default routes back to the FWSM's from the 7600's.
The only issue you may then get is asymmetric rounting but assuming FWSM v3.x this should not be a problem.
2) Answer to this really depends on what you do in 1). If you run OSPF between FWSM & 7600 then you don't need HSRP or GLBP. If you don't use OSPF then yes you could use HSRP and use this as the nexy hop on the FWSM's. GLBP doesn't really gain you that much here as the source rarely changes ie. the FWSM's.
3) I would leave the FWSM's where they are. This gives you more flexibility in future.
I can't see a lot wrong with the design as is. As your external links are 2 x 100Mbs per 7600 router you don't really need to load-balance from each FWSM up to the 7600's.
The only thing i would say is are you planning to utilise the FWSM's for more than just sitting in front of the MSFC. If you are running in single context mode then they are a rather expensive option to just protect the MSFC's. And running L3 back to the distro limits your options in terms of FWSM deployment. Remember that the core is not always the best place to firewall.
But these really are minor points and it may well be that you are only presenting the edge connectivity.
HTH
Jon
03-14-2008 07:02 AM
Thanks Jon,
I'm running FWSM 3.1(7) image and there is no option for running OSPF in Active/Active context so I don't think this is an option.
Without OSPF in FWSM, are there any other options for me with connectivity between the FWSM and the 2 EDGE Routers?
03-14-2008 08:02 AM
"there is no option for running OSPF in Active/Active"
Good point and something i had overlooked. You can only run a dynamic routing protocol in single context mode.
You could have 2 equal cost paths from each FWSM to each 7600 although i would like to test this to make sure it did indeed work as expected.
You could move the FWSM back behind the MSFC so that the 6500's could peer with the 7600's but i wouldn't recommend this without knowing what else was routing on the 6500. And this is prone to errors in configuration.
Finally you could run the FWSM's in transparent mode and peer the MSFC's on the 6500's with the 7600's.
Overall though i think what you have will be fine unless you notice that some of the links are getting overutilised.
Jon
03-14-2008 09:46 AM
You know what, as dumb as it seems I have never created 2 default static routes, always changed the metric.
You just solved my problem and I cant believe how easy it was.
03-14-2008 11:10 AM
:-)
Sometimes the simplest things are overlooked among all the details.
Glad to have helped and appreciate the rating.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide