I was tasked to make the network redundant, yet simple, from the core out to the edge. (Please see the now.pdf for a look at the current setup) Our sales vendor suggested to double the L2 switches and to setup 2 EIGRP AS'. One AS would include the Internet routers and public switches while the other AS would include the ASAs down to the two 6509s. (Please see the proposed.pdf)
I am not sure if their suggestion is a good way to go and would like some feedback.
Though we have two different data circuits, the secondary is there only as a backup, so all traffic passes through the primary Internet router. If I setup an AS with the 2 Internet routers each connecting to their own public switch, I feel like I'm adding more points of failure especially if the public switches lose communication between each other. I did a little mock setup with old switches and routers and noticed both the routers would became active router (HSRP) and any traffic going down the secondary would go to la la land. Have any suggestions? I was thinking of keeping it the way it is.
As for the other AS, I am a bit confused. The ASAs are setup in active/failover, not active/active, how would the traffic routing work with EIGRP in place? Will the failover ASA pass traffic along? Also, one of the 6509s already has an EIGRP AS running, and I read it is not advisable to run multiple EIGRP AS', but I don't understand why.
I hope this makes sense, I feel like it's mostly jumbled up in my head right now.
>> You mentioned using a single EIGRP AS from the border to the core, would this interfere with the EIGRP AS that is currently on one of the 6509s?
the idea is to use a single EIGRP AS number end to end from border routers, Active ASA, and core switches so it needs to be the same EIGRP AS number currently running on the core switches. Of course a design using static routes may be enough good for your needs, specially in case of ASA switchover.
On the other hand EIGRP provides a way to know if the border routers are working well, otherwise if supported on core routers some form of object tracking can be a safety measure.
>> do you think it's useful to add another switch in between the ASAs and 6509s for physical redundancy?
This is absolutely needed to classify the design as a fault tolerant one: the network is fault tolerant when any single failure event of a link or a device doesn't break connectivity, so two switches are needed there and for security they shouldn't be simply a different vlan on core switches. They can be basic L2 switches but they need to be two to satisfy redundancy requirements.
Suggestion to provide an iBGP link between the two border routers it is wise. I don't think you need a dedicated link if you deploy two lan switches with an etherchannel between them you should be fine, the iBGP session can run on the internal LAN of the border routers.
Hope to help
i agree with Giuseppe here
i had a customer case like this and i think not the best but one of the best solutions you can do is to have HSRP in the Border routers to let your ASAs use the VIP for that HSRP group
and if you are using EBGP in your border routers you may add additional inter router link and configure IBGP between them with higher bgp local-preference from the primary
in this case if the LAN switch connected to the primary router and LAN connectivity to it fail the backup router will become the active HSRP router
but becuase you have inter router link between them the traffic will continue flow through the primary link using the IBGP route toward the primary router
( you may need to put some routes from the returning traffic )
this means as Giuseppe said you don't need eigrp in that area