Two ISP's with Two 2821 Routers. is my diagram correct? Can I do this?

Unanswered Question
Dec 17th, 2009
User Badges:

Hello,

Currently My network has two seprate ISP providers with two seprate 2821 routers.  This equipment is also in different locations.  See diagram (edge_diagram).  I would like to modify this configuration to take advanage of some redundacy.  If  you look at edge_diagram_update what I have there, will this work?


To connect the 2821 Router to the other firewall I plan on using a sub interface off of the current inside interface.  This will run through the 10GE connection I have between the two sites via the Core cat 6500 switches.

I also was planning on running IBGP between the two routers again via the 10GE Link.


I have one unused interface on each firewall,  I would be using this for the failover connection between each firewall.


I'm not sure what else to say, so I hope this is enough information for someone to help me out.


Thanks


Mike.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 12/17/2009 - 11:37
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Mike,

the proposed setup looks like correct.


both the iBGP session and the FW failover will go over the 10GE link?


if this is the only link the problem can be when this fails.


Also the internal vlan of edge routers should be carried also to build a single IP subnet with the two edge routers and the two firewalls.

The edge routers have to provide a virtual router with HSRP or to use a dynamic routing protocol.


So the 10GE link has to be a L2 trunk carrying three vlans (unless iBGP session is terminated on internal lan in this case only two).

These are in addition to the vlan(s) used to interconnect sites.


Also it is important that if the firewalls are now acting in stand alone, conversion to a FW pair is possible but requires attention


Hope to help

Giuseppe

MICHAEL CICCONE Thu, 12/17/2009 - 11:44
User Badges:

Giuseppe,

Thanks for the reply.  Yes, currently the 10GE is the only connection between the sites, so all communications will go over this same connection.   I see your point about a problem should this link go down.  I will have to address that as well.  The 10GE is a layer 2 trunk, which carries several VLANS already.


Thanks


Mike C.

Actions

This Discussion