[c-nsp] 2 locations, 2 ISPs, 2 ASAs, configuration confusion

Winders, Timothy A twinders at southplainscollege.edu
Mon Jan 22 21:36:16 EST 2007 

> --On 22 January 2007 15:58 -0600 "Winders, Timothy A" 
> <twinders at southplainscollege.edu> wrote:
> 
> > I met with my Cisco SE today.  This is the logical configuration we
> > have come up with.  I'm waiting on one more hardware piece before I
> > can test it out.  Anyone have any feedback here.  From below, here
> > is the summary of goals:
> >
> > * 2 entry and exit points to the network
> > * Full firewall at both entry points to the network
> > * dynamic routing internal
> > * bgp to ISPs
> > * if the connection between CORE1 and CORE2 goes down, each site
> > maintains internet connectivity independantly and announces routes
> > to it's bgp peer for only the networks which remain local to it. *
> > optionally, if CORE1 and CORE2 lose their connection, a secure
> > tunnel connection will be established over the internet to connect
> > the sites again, transparent to users.
> > * All routers (edge and core) are SUP720 based.
> > * Firewalls are ASA5520s with ASA-SSM-20 IPS module
> > * asymetric routing must be taken into consideration
> >
> >
> >           Internet
> >            /    \
> >         ISP1    ISP2
> >          |       |
> >         ER1 --- ER2
> >          |       |
> >         ASA1    ASA2
> >          |       |
> >        CORE1 --- CORE2
> >
> > 1 and 2 are two different sites with a GigE connection between them.
> > The connections between CORE1/CORE2 and ER1/ER2 are across the same
> > physical link, but are on different VLANs.  We have full dot1Q
> > trunking between sites.
> >
> > ER1 runs eBGP to ISP1
> > ER2 runs eBGP to ISP2
> > ER1 and ER2 run iBGP
> > ER1 runs iBGP with CORE1
> > ER2 runs iBGP with CORE2
> > CORE1 and CORE2 run OSPF
> >
> > The two ASA run independently in routed firewall mode.  We take full
> > routes plus default from each ISP1 and ISP2.  We inject OSPF into
> > iBGP. We create a high admin distance between CORE1 and CORE2.
> >
> > With this configuration, the default route for each COREx router
> > will be it's local edge router.  The Edge routers will decide
> > which ISP to send the traffic OUT.  Incoming traffic can be
> > asymetric from the ISPs, that is traffic going OUT ER1 can come
> > back in ER2.  However, through iBGP routing, the inflow of traffic
> > should always come back in through the correct ASA and we shouldn't
> > have to worry about stateful inspection dropped packets.
> >
> > After this is working, I'll build a tunnel between CORE1 and CORE2
> > across the internet, so if the link between COREs goes down, the two
> > sites will have connectivity over the Internet.
> >
> > I think this will all work.  Comments?
> >
> > Tim Winders | Associate Dean of Information Technology | South
> > Plains College
> >
> >
> >
> 
> It's late at night here, and I may be wrong but ...
> 
> If you are running iBGP all the way to CORE1 & CORE2 then you will 
> need a full mesh.  So you are missing iBGp from ER1 to CORE2, ER2 to 
> CORE1, and CORE1 to CORE2.
> 
> Alternatively if you use ER1/ER2 as your BGP edge then you could run 
> OSPF Between the edge routers, and from the edge routers to the ASAs 
> and inside the ASAs also. If ER1 / ER2 are injecting default routers 
> into OSPF then I think that would do the trick.

Thanks, Peter.

A full BGP mesh would not work.  We need the routing protocol to know
that CORE2 is 2 hops away from ER1 and vice-versa.  This is what will
keep the packets flowing through the correct firewall.  Unless there is
a trick with bgp to give different weights to the different peers.  That
might work.

My thought, too, was to use OSPF to the edge.  Turn on OSPF on the ASA
and each ER, inject OSPF into BGP at the edge and we should be good to
go.  The recommendation was to run iBGP to the core.  I'm not sure why.



Tim Winders | Associate Dean of Information Technology | South Plains
College

More information about the cisco-nsp mailing list