BGP and internal core redundancy

Unanswered Question
Feb 25th, 2014
User Badges:

So I have a couple of questions and was curious about what the community here thought about this theory.  We are colo'ing a rack for redundancy offsite and have a single layer 2 connection between that and our main location (dedicated fiber).  We have an ISP at the colo facility and a different ISP at our main location.  We're planning to announce our public /24 via BGP and a public AS to both providers to provide redundancy for our /24 both incoming and outgoing.


I've attached a basic picture of this environment for what we want to do.  For the moment ignore the single point of failure between the switches/ISP/locations, those will be redundant soon.


My questions are these:


1)  For redundancy between the firewalls and the routers, is Layer 2 or Layer 3 recommended?

2)  If we go Layer 3, I assume we would need to use public IP's on those links and not private reserved IP's?  (Wouldn't the private IP's show up like in a traceroute/etc?)

3)I've red a lot about spanning tree, hsrp, vrrp, osp redistribution, etc.  I'm having a hard time figuring out exactly what tech/protocols to use for making the area between the routers and the firewalls redundant.  




Thanks,

Nick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vasilii Mikhail... Wed, 02/26/2014 - 00:08
User Badges:
  • Gold, 750 points or more

Hello, Nick.


>1)  For redundancy between the firewalls and the routers, is Layer 2 or Layer 3 recommended?

Here you need to note what HA options do you have on your FW.

If you are implementing ASA, then you need L2 (outside interface on both FWs should be in the same VLAN).


>2)  If we go Layer 3, I assume we would need to use public IP's on those links and not private reserved IP's?  (Wouldn't the private IP's show up like in a traceroute/etc?)

Looks like you are no going with L3, but.

You may use any private IP-address between router and FW; you are right this could affect traceroutes (originated from internet), but do you really need them?


>3)I've red a lot about spanning tree, hsrp, vrrp, osp redistribution, etc.  I'm having a hard time figuring out exactly what tech/protocols to use for making the area between the routers and the firewalls redundant.

I think, that first of all you need to design your routing for public prefix and how all your WAN routers are going to exchange (?) BGP. And you need to design how outgoing traffic will be choosing right WAN link.


Sometimes simple HSRP could be enough on WAN routers (if you want Active/Passive).

Vasilii Mikhail... Wed, 02/26/2014 - 00:13
User Badges:
  • Gold, 750 points or more

Actually I would suggest to have unique /24 prefix per location (as I guess that ISP won't accept /25), bacause announcing single /24 could affect your production in case fiber link goes down.


I would suggest following diagram:

123.png


Surely you have a single Fiber, but a couple of vlans are in trunk (so, SW1/SW3 could be a single router).

SW1 and SW2 should run IGP over VL12 and with FW1/FW2. This will allow you to exchange traffic between LAN and DMZs.

Subnet SW1-FW1 should a dedicated L3 (VLAN 101?); the same with SW2/FW2 (VLAN 201?)


VL99 allows your WAN routers to communicate with each other and FW1/FW2.


Per my undersanding there is no need for 2 WAN routers per location, unless ISP provides you 2 links.

nhubacek1 Wed, 02/26/2014 - 05:48
User Badges:

Thank you very much for your advice, it's given me a lot to think about.   We wanted to go with our current /24 only as we honestly don't need additional IP's, we're not using enough of our current /24 and can easily split that between locations as two /25's.


As for Q2) Above:

Wouldn't a private IP range be a hop for external traffic coming inbound?  I imagine we would want to avoid anything in 10.0.0.0/8, 192.168.0.0./24, etc from showing up in the external routing table's....


We're talking about making the WAN side routers a Layer3 switch that can handle default-route only BGP, like a WS-C3750G-24T-E.  The FW side could be generic juniper/pfsense/asa/pix/whatever.


Thanks again for your time!

Vasilii Mikhail... Wed, 02/26/2014 - 07:45
User Badges:
  • Gold, 750 points or more

Hello, Nick.


>As for Q2) Above:

Wouldn't a private IP range be a hop for external traffic coming inbound?  I imagine we would want to avoid anything in 10.0.0.0/8, 192.168.0.0./24, etc from showing up in the external routing table's....


You BGP routers will be announcing 1.1.1.0/24 via public IP-address (2.2.2.2 in you picture).

Nobody will see your private transit addresses in thier RIBs, as 1) they won't accept the route, 2) you won't announce the route.


>We're talking about making the WAN side routers a Layer3 switch that can handle default-route only BGP, like a WS-C3750G-24T-E.

Not sure if it's a good idea to use L3 switch whenever you could use cheaper router (even router could do much more than a switch).

Actions

This Discussion

Related Content