Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2410
Views
0
Helpful
8
Replies

Another design question(internet edge)

revolwireless
Level 1
Level 1

‎07-19-2013 09:00 AM - edited ‎03-03-2019 07:07 AM

Hello i have the oppurtunity to re-desing our edge. Currently in our edge it's all private IP space, I'm not sure why it was done like this.

I'd like to add public IPs on our border routers, external firewall and our DC(6509s) external interfaces. Our DC currently connect straight to our external switches(3750's), eventually I'd like to move them behind the SRX firewall to our core switches. This is not possible at this time though.

My questions are as follows:

Please refer to the topology.

Do I need public IPs between our edge routers(MX5s) for iBGP?

Does the edge have to be in OSPF area 0 with the core or is it better to have it's own area like i have in the diagram?

Currently the edge routers have static routes going to the 6509s HSRP VIP, is this better over advertising them via OSPF?

Would our edge routers advertise a default route to the 6509s and to the SRX firewall? or is it better to use a static default route pointing to the edge routers VRRP VIP?

Is OSPF even needed if it wasn't for BGP?(just curious)

Also is it ok to leave the 6509's there or is it better to have them conntected to our core switches behind the SRX?

Labels:
Preview file
48 KB
0 Helpful
8 Replies 8

Marwan ALshawi
VIP Alumni
VIP Alumni

‎07-19-2013 12:38 PM

first

about where to put Public IPs is up to you because you can use NAT combined with private IPs as well

for OSPF in area 1 I dont see a need for OSPF is you are running VRRP and HSRP you can use either IGP or VRRP/HSRP

default route can be static if you are using HSRP/VRRP and over OSPF is you are using OSPF

hope this help

0 Helpful

revolwireless
Level 1
Level 1
In response to Marwan ALshawi

‎07-19-2013 12:43 PM

I thought the edge needs public IPs especially for firewalls/vpn devices.

Don't i still need an IGP for iBGP to work or does it not matter since they're on same subnet?

What is best desing in such scenario using FHRP or dynamic routing?

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to revolwireless

‎07-19-2013 11:12 PM

Public should be used on the outside interfaces and NAT can be used for other devices this will help you reduce the public IPs that going to be used for interfaces, if this is ok then you can use public IPs end to end on your edge network without nat, also for the VPN public IP without nat is good option to reduce vpn complexity with nat

fo riBGP if the session going to be between two directly connected routers over one interface no need for igp, if its over multiple interface igp or static route can be used

the other option is to use IGP and remove vrrp/hsrp from your design and let the routing do the failover for default route and other subnets

IGP better because it is dynamic no need to add static route every time you add new subnet, also it is faster with tuned osf timers ( but do not make the fast hello timer of ospf very low as it will introduce instability to the network)

hope this help, if helpful rate

0 Helpful

revolwireless
Level 1
Level 1
In response to Marwan ALshawi

‎07-20-2013 08:08 AM

I'm confused about what you're saying and using nat, where would nat fit in at the edge?  Wouldn't the outside interfaces be the ones facing to my edge routers? And on the edge routers I have interfaces facing my ISPs and the edge, should the one'sfacing the edge be public? Or should I use private subnet?

Currently the edge design vlan is private, the only publics are on the interfaces to our ISPs

Thank you

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to revolwireless

‎07-20-2013 10:41 AM

yes, the interfaces facing the ISP need to be public, then you can use NAT at your edge device facing the ISP to nat using your public range this is easier because you dont need to re address your network and run into downtime and other issues during this phase

0 Helpful

revolwireless
Level 1
Level 1
In response to Marwan ALshawi

‎07-22-2013 06:25 AM

I understand that ISP interfaces are public, but I'm still confused about where NAT would fit in my topology, my NAT is done at our SRX device and the FWSMs in the 6500s

In the topology attached to this reply, i have marked the interfaces with red circles, currently these are private. My question is , should these be public?

Thanks

Preview file
174 KB
0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to revolwireless

‎07-24-2013 07:50 AM

you can but it is not must, you right the nat can be done at the edge routers facing the ISPs or at any other device within your network such as FWSM as long as you have the correct routing that point to the right device

hope this help

0 Helpful

revolwireless
Level 1
Level 1
In response to Marwan ALshawi

‎07-25-2013 10:39 AM

So having private IPs in our edge is not necessary, but was is the recomnded design? Also you said using routing protols is better at the edge for fast convergence, these all share a vlan, does this matter?

0 Helpful
Customers Also Viewed These Support Documents