Hello i have the oppurtunity to re-desing our edge. Currently in our edge it's all private IP space, I'm not sure why it was done like this.
I'd like to add public IPs on our border routers, external firewall and our DC(6509s) external interfaces. Our DC currently connect straight to our external switches(3750's), eventually I'd like to move them behind the SRX firewall to our core switches. This is not possible at this time though.
My questions are as follows:
Please refer to the topology.
Do I need public IPs between our edge routers(MX5s) for iBGP?
Does the edge have to be in OSPF area 0 with the core or is it better to have it's own area like i have in the diagram?
Currently the edge routers have static routes going to the 6509s HSRP VIP, is this better over advertising them via OSPF?
Would our edge routers advertise a default route to the 6509s and to the SRX firewall? or is it better to use a static default route pointing to the edge routers VRRP VIP?
Is OSPF even needed if it wasn't for BGP?(just curious)
Also is it ok to leave the 6509's there or is it better to have them conntected to our core switches behind the SRX?
Public should be used on the outside interfaces and NAT can be used for other devices this will help you reduce the public IPs that going to be used for interfaces, if this is ok then you can use public IPs end to end on your edge network without nat, also for the VPN public IP without nat is good option to reduce vpn complexity with nat
fo riBGP if the session going to be between two directly connected routers over one interface no need for igp, if its over multiple interface igp or static route can be used
the other option is to use IGP and remove vrrp/hsrp from your design and let the routing do the failover for default route and other subnets
IGP better because it is dynamic no need to add static route every time you add new subnet, also it is faster with tuned osf timers ( but do not make the fast hello timer of ospf very low as it will introduce instability to the network)
I'm confused about what you're saying and using nat, where would nat fit in at the edge? Wouldn't the outside interfaces be the ones facing to my edge routers? And on the edge routers I have interfaces facing my ISPs and the edge, should the one'sfacing the edge be public? Or should I use private subnet?
Currently the edge design vlan is private, the only publics are on the interfaces to our ISPs
yes, the interfaces facing the ISP need to be public, then you can use NAT at your edge device facing the ISP to nat using your public range this is easier because you dont need to re address your network and run into downtime and other issues during this phase
you can but it is not must, you right the nat can be done at the edge routers facing the ISPs or at any other device within your network such as FWSM as long as you have the correct routing that point to the right device
So having private IPs in our edge is not necessary, but was is the recomnded design? Also you said using routing protols is better at the edge for fast convergence, these all share a vlan, does this matter?
Hi I have this primary configuration on the primary CSR Router in the HA
mode in same AZ but I am not seeing failover to secondary CSR I am
seeing on the backup router that the API call was successful. 10 10 Actv
success Thu Jun 9 18:13:50 2016 syslog app...
In today’s modern networks the interaction between applications and
network infrastructures is increasingly important for service providers,
content providers and enterprise businesses. The more network operators
can interact with the network the more opt...