Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Routers and Firewalls design

Hi all,

Note: No configuration is done yet, we are presenting this design to a customer. just need your feedback as to whether this design is correct.

i have attached the diagram as well

I have a very simple requirement. I have 2 core routers (2901) that are needed to connect to 2 5512-x firewalls that will be configured in Active/failover mode.

Design 1:

Both core routers will have dual connection to 2 firewalls (which are further connected to core switch). That means each firewall will have 2 outside interface but then how will i configure both these interfaces ? i mean do i need 2 layer 3 connections on both routers and then some routing protocol to manage the traffic ? or is there some other way of doing it ? ( i am totally lost here, i drew the diagram but i dont know how the traffic shall flow)

Design 2:

Both core routers and firewalls will be connected to a switch. Then i think we need to run HSRP/VRRP on both routers and firewalls will be routing traffic to the virtual ip ?

I am a bit lost here as to how achieve HA design in this scenario. I am not asking for any configuration just want to know how to set this up.

Pls guide me

7 REPLIES
Hall of Fame Super Blue

Routers and Firewalls design

Jonn

Do you need both routers to be active or is one primary and the other secondary ?

And the firewalls, when you say active/failover you mean active/standby yes ?

Jon

Community Member

Routers and Firewalls design

Sir,

Both routers are primary (there is one isp connected to each router)

Yes sir i meant active/standy (sorry for the typo)

Please guide

Hall of Fame Super Blue

Re: Routers and Firewalls design

Jonn

Generally speaking you would use a switch to interconnect the firewalls to the routers. The routers would use IP of the active firewall and if the active firewall changes the IP is moved over to standby firewall which becomes active.

And internally you would point your LAN at the active firewall's inside IP address for the same reason.

The main issues are with the routers and detecting failover. If you use a switch between the routers and firewalls then a router could fail but the firewall doesn't know because it has an up/up connection to the switch. The way round this is -

1) run a routing protocol between the firewalls and the routers. However a lot of people don't like running a routing protocol on their firewalls for security reasons especially between the outside interfaces and routers. In addition, last time i checked with a routing protocol the standby firewall does not actually particpate so if the firewall fails over the new active firewall then has to establish adjacencies with the routers. This restriction may have been lifted though with the newer firewalls.

or

2) track the status of neighbor with route tracking on the ASA firewall.

There are other issues you consider -

NAT - is each ISP providing you with a range of public IPs or do you have provider independant addressing ? Bear in mind both may be primary but if you used one of ISP1s address to PAT all your internal clients you could send trafic out via ISP2 but it would come back via ISP1. So it could be hard to load balance. You could split up your internal clients to NAT some to ISP1 and some to ISP2.

NAT for internal devices (on a dmz maybe) to be accessed from the internet. Again whose IP addresses would you use for this , ISP1s or ISP2s. Is ISP1 willing to advertise out ISP2s block and vice versa. If not all traffic for those services would come via the ISP you have used the addresses of.

If you do have provider independant addressing the above 2 are not so much of a concern because each ISP would advertise out your block of addresses.

Routing. The ASAs have a limitation that you cannot configure 2 default routes pointing out of different interfaces. This is another reason why having each router connect directly to the ASA is not a good idea because you would have 2 outside interfaces. With a switch you only have one outside interface so you can have 2 default routes, one pointing to one router and one to the other.  As already stated if you do this you would need to somehow track the state of the links.

What routes are your routers receiving from the ISPs ?  Are you peering with them using BGP or simply using statics. Do you want to influence outbound traffic to take one path or another or are you happy to just use 2 default routes on your firewall and let it load balance between them (with the provisos i covered about NAT).

Finally i should say that i have not used any of the more recent ASAs or software versions so some of what i have said, specifically the standby not particpating in the routing protocol and the limitation on default routes, may not be issues now so it may be worth posting into the Firewalling forum as well or putting a link to here just in case.

Apologies for overloading you with information but with 2 ISPs it can become quite complex.

Jon

Community Member

Re: Routers and Firewalls design

Sir an excellent, totally awesome reply and guide. I really appreciate and am grateful.

Sir just one thing more, if i place a switch between routers and firewalls, does it need to be redundant too ? i mean in that case there will be just more interfaces connecting and things becoming complex. So how is it practically done ? 1 switch or 2 switches ?

Hall of Fame Super Blue

Re: Routers and Firewalls design

Jonn

If you have redundant firewalls and 2 routers having only one switch would not be a good idea as if it fails you have lost all connectivity. So yes, you would need 2 switches.

You would have one firewall and one router connected to each switch. All connections from both firewalls and routers would be in the same vlan. You connect the 2 switches together and because there is only one vlan then the switch ports connecting the switches just need to be access ports in that vlan.

If a switch fails you lose one firewall and on router.

Note also that from your original post you said in option 2 you run HSRP/VRRP on the routers. I think i covered it in the last post but worth saying again that you do point the routers at the firewall active IP but you don't run HSRP/VRRP on the routers because only one would be used. You simply add 2 default routes to the firewalls pointing to each routers LAN IP address.

In terms of failure -

1) active firewall fails. You still have 2 switches and 2 routers and one firewall

2)  router fails. You still have an active and standby firewall, 2 switches and one router

3) switch fails. You still have one firewall and one router

None of the above necessarily means a loss of service but i would reiterate that your IP addressing from the ISPs and how you use them on the firewall could also dicatate what is and isn't available.

So it very important to understand exactly what the customer expects from the design in terms of redundancy, usage of both ISPs links etc. and whether your design will meet those requirements.

Jon

Community Member

Reference to the diagram

Reference to the diagram (dual_isp_topology.pptx), could you provide the recommendations for each design options? Pros and Cons? Which is preferred?

Any design consideration or limitations?

Hall of Fame Super Blue

Re: Routers and Firewalls design

Jonn

Thinking about it, this has more to do with the capabilities of the firewalls than the routers so i would suggest moving this thread to the Firewalling forum where there are people with much more recent experience than me in these things.

Jon

2753
Views
0
Helpful
7
Replies
CreatePlease to create content