[c-nsp] 2 locations, 2 ISPs, 2 ASAs, configuration confusion

Peter Walker peter at grole.org
Mon Jan 22 19:28:06 EST 2007 


--On 22 January 2007 15:58 -0600 "Winders, Timothy A" 
<twinders at southplainscollege.edu> wrote:

> I met with my Cisco SE today.  This is the logical configuration we
> have come up with.  I'm waiting on one more hardware piece before I
> can test it out.  Anyone have any feedback here.  From below, here
> is the summary of goals:
>
> * 2 entry and exit points to the network
> * Full firewall at both entry points to the network
> * dynamic routing internal
> * bgp to ISPs
> * if the connection between CORE1 and CORE2 goes down, each site
> maintains internet connectivity independantly and announces routes
> to it's bgp peer for only the networks which remain local to it. *
> optionally, if CORE1 and CORE2 lose their connection, a secure
> tunnel connection will be established over the internet to connect
> the sites again, transparent to users.
> * All routers (edge and core) are SUP720 based.
> * Firewalls are ASA5520s with ASA-SSM-20 IPS module
> * asymetric routing must be taken into consideration
>
>
>           Internet
>            /    \
>         ISP1    ISP2
>          |       |
>         ER1 --- ER2
>          |       |
>         ASA1    ASA2
>          |       |
>        CORE1 --- CORE2
>
> 1 and 2 are two different sites with a GigE connection between them.
> The connections between CORE1/CORE2 and ER1/ER2 are across the same
> physical link, but are on different VLANs.  We have full dot1Q
> trunking between sites.
>
> ER1 runs eBGP to ISP1
> ER2 runs eBGP to ISP2
> ER1 and ER2 run iBGP
> ER1 runs iBGP with CORE1
> ER2 runs iBGP with CORE2
> CORE1 and CORE2 run OSPF
>
> The two ASA run independently in routed firewall mode.  We take full
> routes plus default from each ISP1 and ISP2.  We inject OSPF into
> iBGP. We create a high admin distance between CORE1 and CORE2.
>
> With this configuration, the default route for each COREx router
> will be it's local edge router.  The Edge routers will decide
> which ISP to send the traffic OUT.  Incoming traffic can be
> asymetric from the ISPs, that is traffic going OUT ER1 can come
> back in ER2.  However, through iBGP routing, the inflow of traffic
> should always come back in through the correct ASA and we shouldn't
> have to worry about stateful inspection dropped packets.
>
> After this is working, I'll build a tunnel between CORE1 and CORE2
> across the internet, so if the link between COREs goes down, the two
> sites will have connectivity over the Internet.
>
> I think this will all work.  Comments?
>
> Tim Winders | Associate Dean of Information Technology | South
> Plains College
>
>
>

It's late at night here, and I may be wrong but ...

If you are running iBGP all the way to CORE1 & CORE2 then you will 
need a full mesh.  So you are missing iBGp from ER1 to CORE2, ER2 to 
CORE1, and CORE1 to CORE2.

Alternatively if you use ER1/ER2 as your BGP edge then you could run 
OSPF Between the edge routers, and from the edge routers to the ASAs 
and inside the ASAs also. If ER1 / ER2 are injecting default routers 
into OSPF then I think that would do the trick.

Regards

	Peter Walker

More information about the cisco-nsp mailing list