Front-end/backend routers with redundancy

I need some advice building a redundant router setup for my lab.

I have a pair of Cisco 2811 routers for the front end and a pair of ASA 5520's to act as backend security appliances.

I need to setup the pairs of routers so they can failover to each other and completely remove single point of failure.

I'm using the builtin active/standby failover on the ASA's and HSRP on the 2811's at the moment.
But how do I wire them up, and how do I configure the routing so the devices can survive any single failure?
LVL 1
PerimeterITAsked:
Who is Participating?
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
Then you don't need BGP, let your frontend routers do all the BGP work and setup a IGP for your ASA's.

Something like the below topography is probably what you want.   You can redistributed from BGP into your IGP.  Nothing else is required.  Keep in mind, you most likely will have a single point of failure at your ISP unless you are going multiple redundant connections.

You don't need HSRP at all for this topography.EE-ASA-Router.PNG
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
Where are you putting the HSRP?  Do you have public IP's for your devices or are you doing NAT?  What is doing NAT?
0
 
PerimeterITAuthor Commented:
This is the kind of stuff I'm trying to figure out :)

The ASA's are handling NAT for my private networks.
The 2811's will have the public externally facing IP's.

Would I be best to have a subnet that exists between the exterior and interior routers and map the external IPs to IP's on the ASA's WAN?
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
If your ASA's will be handling NAT, unless you have a routed block, they will have to be in-front of your routers.  Honestly, I would do that and then enable a dynamic routing protocol on the ASA facing interfaces for the routers and have the routers themselves as the client gateways ( not the ASA's ).

If you have a block, do you have BGP or static?
0
 
PerimeterITAuthor Commented:
BGP
0
 
PerimeterITAuthor Commented:
So if I am getting this right:
In this topology I would use EIGRP or OSPF to redistribute routes to the ASA pair from two active/active front end routers?

Would the public IP's in my ARIN issued subnet exist in-between the routers then?
Traffic to my public subnet would be routed from the ISP's to ISP issued IP's that exist on the front end routers, all managed by BGP?
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
You would need to allocate a few public IP's between the ASAs and the routers.  Other then that, your IP's would be assigned to the ASA (or if you subnet, some to the ASA's, some behind the ASA's.

Everything else is correct, all routes would be managed VIA BGP (you could filter out the full table with your front-end routers and just redistribute the default route)
0
 
PerimeterITAuthor Commented:
Excellent, thank you :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.