I'm hoping that you can provide some advice on some design questions. I'm trying to come up with the best way to setup a highly available, redundant, and secure (from the public) connection between ASR1001, a pair of 3750X, and firewalls. I'm using OSPF as my IGP.
My current design is like this: On the 3750x, run ospf on 1 x SV1 , and connect the firewalls and ASR on to a layer 2 access port on 3750x, (onto the public access vlan) On the ASR, use 1 loopback and connect to the 3750x using L3 ports, run ospf on these ports, and redistribute the static loopback or maybe use bridge domain interface instead? On the firewall, use 1 loopback and connect to the 3750x using L3, run ospf on these ports, and redistribute the static loopback. These connections would terminate on 3750x onto the public or private L2 vlan access ports.
My questions are: 1. What suggestions do you have for a ospf p2p connection between my ASR and a pair of 3750X? considering that ASR is an internet router and data will need to hit the firewall first. Do you have any samples that you can share?
2. Should I go with a single backbone area instead of a multi area design?
Per the diagram attached, you have only one external connection (I mean ASR), that is why I would suggest not to involve ASR into routing process, as it gives you no profit.
Actually your Firewalls (assume these are ASAs) should run in failover; possibly configured with 3 interfaces - inside, outside, DMZ. If you don't need too much dynamic here, then ASA may have a default static toward ASR and summary static toward VRRP address on 3750. If you want dynamic, you may run 2 OSPF processes on ASAs (inside and outside).
Per your question:
1 - you mustn't have common L3 subnet between ASR and 3750 (unless you run ASA in transparent);
2 - I wouldn't extend internal routing process to ASR, as it might compromise your network (unless you have some specific requirements);
Thank you Vasilii, I appreciate your information and input, and my apologies for not including the full diagram in my initial post, please take a look at the attached diagram. Would your suggestion still be the same then? thanks for your time.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...