Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
975
Views
0
Helpful
4
Replies

BGP and internal core redundancy

nhubacek1
Level 1
Level 1

‎02-25-2014 01:00 PM - edited ‎03-04-2019 10:26 PM

So I have a couple of questions and was curious about what the community here thought about this theory.  We are colo'ing a rack for redundancy offsite and have a single layer 2 connection between that and our main location (dedicated fiber).  We have an ISP at the colo facility and a different ISP at our main location.  We're planning to announce our public /24 via BGP and a public AS to both providers to provide redundancy for our /24 both incoming and outgoing.

I've attached a basic picture of this environment for what we want to do.  For the moment ignore the single point of failure between the switches/ISP/locations, those will be redundant soon.

My questions are these:

1)  For redundancy between the firewalls and the routers, is Layer 2 or Layer 3 recommended?

2)  If we go Layer 3, I assume we would need to use public IP's on those links and not private reserved IP's?  (Wouldn't the private IP's show up like in a traceroute/etc?)

3)I've red a lot about spanning tree, hsrp, vrrp, osp redistribution, etc.  I'm having a hard time figuring out exactly what tech/protocols to use for making the area between the routers and the firewalls redundant.  

Thanks,

Nick

Labels:
Preview file
43 KB
0 Helpful
4 Replies 4

Vasilii Mikhailovskii
Level 7
Level 7

‎02-26-2014 12:08 AM

Hello, Nick.

>1)  For redundancy between the firewalls and the routers, is Layer 2 or Layer 3 recommended?

Here you need to note what HA options do you have on your FW.

If you are implementing ASA, then you need L2 (outside interface on both FWs should be in the same VLAN).

>2)  If we go Layer 3, I assume we would need to use public IP's on those links and not private reserved IP's?  (Wouldn't the private IP's show up like in a traceroute/etc?)

Looks like you are no going with L3, but.

You may use any private IP-address between router and FW; you are right this could affect traceroutes (originated from internet), but do you really need them?

>3)I've red a lot about spanning tree, hsrp, vrrp, osp redistribution, etc.  I'm having a hard time figuring out exactly what tech/protocols to use for making the area between the routers and the firewalls redundant.

I think, that first of all you need to design your routing for public prefix and how all your WAN routers are going to exchange (?) BGP. And you need to design how outgoing traffic will be choosing right WAN link.

Sometimes simple HSRP could be enough on WAN routers (if you want Active/Passive).

0 Helpful

Vasilii Mikhailovskii
Level 7
Level 7

‎02-26-2014 12:13 AM

Actually I would suggest to have unique /24 prefix per location (as I guess that ISP won't accept /25), bacause announcing single /24 could affect your production in case fiber link goes down.

I would suggest following diagram:

123.png

Surely you have a single Fiber, but a couple of vlans are in trunk (so, SW1/SW3 could be a single router).

SW1 and SW2 should run IGP over VL12 and with FW1/FW2. This will allow you to exchange traffic between LAN and DMZs.

Subnet SW1-FW1 should a dedicated L3 (VLAN 101?); the same with SW2/FW2 (VLAN 201?)

VL99 allows your WAN routers to communicate with each other and FW1/FW2.

Per my undersanding there is no need for 2 WAN routers per location, unless ISP provides you 2 links.

0 Helpful

nhubacek1
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎02-26-2014 05:48 AM

Thank you very much for your advice, it's given me a lot to think about.   We wanted to go with our current /24 only as we honestly don't need additional IP's, we're not using enough of our current /24 and can easily split that between locations as two /25's.

As for Q2) Above:

Wouldn't a private IP range be a hop for external traffic coming inbound?  I imagine we would want to avoid anything in 10.0.0.0/8, 192.168.0.0./24, etc from showing up in the external routing table's....

We're talking about making the WAN side routers a Layer3 switch that can handle default-route only BGP, like a WS-C3750G-24T-E.  The FW side could be generic juniper/pfsense/asa/pix/whatever.

Thanks again for your time!

0 Helpful

Vasilii Mikhailovskii
Level 7
Level 7
In response to nhubacek1

‎02-26-2014 07:45 AM

Hello, Nick.

>As for Q2) Above:

Wouldn't a private IP range be a hop for external traffic coming inbound?  I imagine we would want to avoid anything in 10.0.0.0/8, 192.168.0.0./24, etc from showing up in the external routing table's....

You BGP routers will be announcing 1.1.1.0/24 via public IP-address (2.2.2.2 in you picture).

Nobody will see your private transit addresses in thier RIBs, as 1) they won't accept the route, 2) you won't announce the route.

>We're talking about making the WAN side routers a Layer3 switch that can handle default-route only BGP, like a WS-C3750G-24T-E.

Not sure if it's a good idea to use L3 switch whenever you could use cheaper router (even router could do much more than a switch).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card