Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Seeking OSPF Design advice

Hello support community,

I'm hoping that you can provide some advice on some design questions. I'm trying to come up with the best way to setup a highly available, redundant, and secure (from the public) connection between ASR1001, a pair of 3750X, and firewalls. I'm using OSPF as my IGP.

My current design is like this:
On the 3750x, run ospf on 1 x SV1 , and connect the firewalls and ASR on to a layer 2 access port on 3750x, (onto the public access vlan)
On the ASR, use 1 loopback and connect to the 3750x using L3 ports, run ospf on these ports, and redistribute the static loopback or maybe use bridge domain interface instead?
On the firewall, use 1 loopback and connect to the 3750x using L3, run ospf on these ports, and redistribute the static loopback. These connections would terminate on 3750x onto the public or private L2 vlan access ports.  

My questions are:
1. What suggestions do you have for a ospf p2p connection between my ASR and a pair of 3750X? considering that ASR is an internet router and data will need to hit the firewall first. Do you have any samples that you can share?

2. Should I go with a single backbone area instead of a multi area design?

3. Would BFD be recommended in this scenario?

I appreciate your tips, please see diagram.

http://imgur.com/0X1hz3M

Thanks,
Delmiro

4 REPLIES
New Member

does anyone want to take a

does anyone want to take a stab at this? :)..

wondering if there are any articles or like cisco validated designs documents that you can point me to, I would appreciate it.

New Member

Thank you Vasilii, I

a

Hello.Per the diagram

Hello.

Per the diagram attached, you have only one external connection (I mean ASR), that is why I would suggest not to involve ASR into routing process, as it gives you no profit.

Actually your Firewalls (assume these are ASAs) should run in failover; possibly configured with 3 interfaces - inside, outside, DMZ. If you don't need too much dynamic here, then ASA may have a default static toward ASR and summary static toward VRRP address on 3750. If you want dynamic, you may run 2 OSPF processes on ASAs (inside and outside).

Per your question:

1 - you mustn't have common L3 subnet between ASR and 3750 (unless you run ASA in transparent);

2 - I wouldn't extend internal routing process to ASR, as it might compromise your network (unless you have some specific requirements);

3 - not sure if ASA can participate in BFD.

 

PS: single ASR doesn't look like redundant node.

New Member

Thank you Vasilii, I

Thank you Vasilii, I appreciate your information and input, and my apologies for not including the full diagram in my initial post, please take a look at the attached diagram. Would your suggestion still be the same then? thanks for your time.

164
Views
0
Helpful
4
Replies
CreatePlease login to create content