Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Another design question(internet edge)

Hello i have the oppurtunity to re-desing our edge. Currently in our edge it's all private IP space, I'm not sure why it was done like this.

I'd like to add public IPs on our border routers, external firewall and our DC(6509s) external interfaces. Our DC currently connect straight to our external switches(3750's), eventually I'd like to move them behind the SRX firewall to our core switches. This is not possible at this time though.

My questions are as follows:

Please refer to the topology.

Do I need public IPs between our edge routers(MX5s) for iBGP?

Does the edge have to be in OSPF area 0 with the core or is it better to have it's own area like i have in the diagram?

Currently the edge routers have static routes going to the 6509s HSRP VIP, is this better over advertising them via OSPF?

Would our edge routers advertise a default route to the 6509s and to the SRX firewall? or is it better to use a static default route pointing to the edge routers VRRP VIP?

Is OSPF even needed if it wasn't for BGP?(just curious)

Also is it ok to leave the 6509's there or is it better to have them conntected to our core switches behind the SRX?

8 REPLIES

Another design question(internet edge)

first

about where to put Public IPs is up to you because you can use NAT combined with private IPs as well

for OSPF in area 1 I dont see a need for OSPF is you are running VRRP and HSRP you can use either IGP or VRRP/HSRP

default route can be static if you are using HSRP/VRRP and over OSPF is you are using OSPF

hope this help

New Member

Another design question(internet edge)

I thought the edge needs public IPs especially for firewalls/vpn devices.

Don't i still need an IGP for iBGP to work or does it not matter since they're on same subnet?

What is best desing in such scenario using FHRP or dynamic routing?

Another design question(internet edge)

Public should be used on the outside interfaces and NAT can be used for other devices this will help you reduce the public IPs that going to be used for interfaces, if this is ok then you can use public IPs end to end on your edge network without nat, also for the VPN public IP without nat is good option to reduce vpn complexity with nat

fo riBGP if the session going to be between two directly connected routers over one interface no need for igp, if its over multiple interface igp or static route can be used

the other option is to use IGP and remove vrrp/hsrp from your design and let the routing do the failover for default route and other subnets

IGP better because it is dynamic no need to add static route every time you add new subnet, also it is faster with tuned osf timers ( but do not make the fast hello timer of ospf very low as it will introduce instability to the network)

hope this help, if helpful rate

New Member

Another design question(internet edge)

I'm confused about what you're saying and using nat, where would nat fit in at the edge?  Wouldn't the outside interfaces be the ones facing to my edge routers? And on the edge routers I have interfaces facing my ISPs and the edge, should the one'sfacing the edge be public? Or should I use private subnet?

Currently the edge design vlan is private, the only publics are on the interfaces to our ISPs

Thank you

Another design question(internet edge)

yes, the interfaces facing the ISP need to be public, then you can use NAT at your edge device facing the ISP to nat using your public range this is easier because you dont need to re address your network and run into downtime and other issues during this phase

New Member

Re: Another design question(internet edge)

I understand that ISP interfaces are public, but I'm still confused about where NAT would fit in my topology, my NAT is done at our SRX device and the FWSMs in the 6500s

In the topology attached to this reply, i have marked the interfaces with red circles, currently these are private. My question is , should these be public?

Thanks

Re: Another design question(internet edge)

you can but it is not must, you right the nat can be done at the edge routers facing the ISPs or at any other device within your network such as FWSM as long as you have the correct routing that point to the right device

hope this help

New Member

Re: Another design question(internet edge)

So having private IPs in our edge is not necessary, but was is the recomnded design? Also you said using routing protols is better at the edge for fast convergence, these all share a vlan, does this matter?

2109
Views
0
Helpful
8
Replies
CreatePlease to create content