PerimeterIT
asked on
Front-end/backend routers with redundancy
I need some advice building a redundant router setup for my lab.
I have a pair of Cisco 2811 routers for the front end and a pair of ASA 5520's to act as backend security appliances.
I need to setup the pairs of routers so they can failover to each other and completely remove single point of failure.
I'm using the builtin active/standby failover on the ASA's and HSRP on the 2811's at the moment.
But how do I wire them up, and how do I configure the routing so the devices can survive any single failure?
I have a pair of Cisco 2811 routers for the front end and a pair of ASA 5520's to act as backend security appliances.
I need to setup the pairs of routers so they can failover to each other and completely remove single point of failure.
I'm using the builtin active/standby failover on the ASA's and HSRP on the 2811's at the moment.
But how do I wire them up, and how do I configure the routing so the devices can survive any single failure?
Daniel Sheppard
Where are you putting the HSRP? Do you have public IP's for your devices or are you doing NAT? What is doing NAT?
ASKER
This is the kind of stuff I'm trying to figure out :)
The ASA's are handling NAT for my private networks.
The 2811's will have the public externally facing IP's.
Would I be best to have a subnet that exists between the exterior and interior routers and map the external IPs to IP's on the ASA's WAN?
The ASA's are handling NAT for my private networks.
The 2811's will have the public externally facing IP's.
Would I be best to have a subnet that exists between the exterior and interior routers and map the external IPs to IP's on the ASA's WAN?
If your ASA's will be handling NAT, unless you have a routed block, they will have to be in-front of your routers. Honestly, I would do that and then enable a dynamic routing protocol on the ASA facing interfaces for the routers and have the routers themselves as the client gateways ( not the ASA's ).
If you have a block, do you have BGP or static?
If you have a block, do you have BGP or static?
ASKER
BGP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So if I am getting this right:
In this topology I would use EIGRP or OSPF to redistribute routes to the ASA pair from two active/active front end routers?
Would the public IP's in my ARIN issued subnet exist in-between the routers then?
Traffic to my public subnet would be routed from the ISP's to ISP issued IP's that exist on the front end routers, all managed by BGP?
In this topology I would use EIGRP or OSPF to redistribute routes to the ASA pair from two active/active front end routers?
Would the public IP's in my ARIN issued subnet exist in-between the routers then?
Traffic to my public subnet would be routed from the ISP's to ISP issued IP's that exist on the front end routers, all managed by BGP?
You would need to allocate a few public IP's between the ASAs and the routers. Other then that, your IP's would be assigned to the ASA (or if you subnet, some to the ASA's, some behind the ASA's.
Everything else is correct, all routes would be managed VIA BGP (you could filter out the full table with your front-end routers and just redistribute the default route)
Everything else is correct, all routes would be managed VIA BGP (you could filter out the full table with your front-end routers and just redistribute the default route)
ASKER
Excellent, thank you :)