I have a typical dual FW-pair DMZ, with dual-homed servers on different Pvlans.
Now, when I want to send traffic to the inside FW (a 6509-FWSM), we use two 4948's with static routes pointing to the FWSM virtual DMZ interface. The 4948 have L3-interface uplinks connected to L2 links on the 720. However, if one 4948 link goes down, it has no alternate route to the FWSM, because the static route stays up in certain up/down situations. Now, to remedy this, we utilized HSRP object tracking, to force all the servers to the other 4948 if one loses its uplink. However, I was trying to setup something more efficient and hopefully more reliable, with load-balancing.
So, I'm trying to setup a L3 DMZ without having the FWSM run OSPF (I could do that, but I want to exhuast all other possible options first... as I want to segregate the routing and security). That leaves me with static routes (and the problem I described above -- unless there is someway to use floating static routes to link the 4948... like the possibility to use EOT to monitor static routes) or with a dynamic routing protocol between the Sup720 and the 4948s (which will soon be upgraded to 4506s Suv Vs, and hence the redesign).
Now if I run EIGRP/OSPF between the 720 and the 4506, all DMZ traffic destined to the inside will bypass the FWSM, because of the global routing table.
I was reading about VRF... and while most of what I read is about GRE tunnels and path segregation via VRF, it sounds possible that I could do the following.
Have a VRF instance on the 720 to peer with the 4506 vlan interface / physical interfaces. This will allow me to load balance traffic to the FWSMs easily. And then, is there a way I can add a static route in that VRF instance that points to the FWSM?
Is this possible at all? To put it simply, I want to just separate the routing table on the 720, one global one, and one teeny one that will only forward traffic to the FWSM. After that, the traffic will exit a different FWSM virtual interface, and be part of the global routing table again, correct?
Either way, possible or not, I appreciate the help... even me if its getting me back on track!
Just a thought.. How many private vlans do you have in your DMZ ? Also it sound like you have the layer 3 vlan interfaces on the 4948 switches in your DMZ - is this correct.
Using VRF will allow you to have separate routng tables if that is what you want although i woudl not like to say whether your particular setup would work without testing.
Typically though you do not want any L3 routing going on within your DMZ.
It depends on how many vlans exist within your DMZ but could you not remove the L3 vlan interfaces off the 4948's, change the uplinks to L2, make sure you have a L2 link between your 4948'S and then have the L3 gateway(s) on the FWSM.
Spanning-tree will do PVST+ so you can use both layer 2 links for traffic.
This way all traffic from your DMZ would have to go through an FWSM interface before it could be routed by the MSFC which sounds like what you want.
If i have misunderstood the topology please let me know.
We have approx 6 pvlans across two 4006s and two 4948s (soon to be 4 4506s for increased port density).
The 2 4006s are connected to a CSS, which is the default gateway for those servers to load-balance the server traffic.
The 4006s have l2 links to the 4948 in a partial mesh (no link between the 4006s). The 4948s have a link between eachother for the vlan interfaces (required for the CSS to route traffic to the FWSM if we choose the L3 'route').
I've contemplated making the 4948s layer 2 to the 720 (which houses the FWSM), and have the 720 be root and secondary root for the vlans.
However, something about me doesn't like STP running across 6 switches in a partial mesh. I could load balance with PVST, but some vlans have higher traffic then others... and convergence wouldn't be great. If one of the 4006s l2 link to the 4948 went down, and since he's not directly connected to root, thats up to 50 seconds I think. I guess maybe we could use rapid PVST... but it seems all the design guides say go l3, and so I was just trying to think it out.
With 4 4506s, it seems we can use the back 2 4506s as the L2 access switches with L2 uplinks (to trunk the vlan). The front 2 4506s could route the traffic to the 720 if he could manage a separate VRF for the specific VLAN interfaces. And then the VRF could just be redistributing a static route to FWSM.
This way, we can use flex-links on the back end 4506 for rapid convergence (I didn't get to that part yet, still thinking), and EIGRP/OSPF on the front end 4506s instead of static routes.
It seems doable, and would route efficiently. I just gotta find some documentation so I can see if it would work. Where is there a beginners guide to VRF? I search, but only come up with MPLS, or GRE tunnel VRF designs.
I guess thats why I dont know if what I'm saying is possible.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...