I know this has been discussed multiple times but still wanted to renew this discussion- I for one can definitely use some valuable suggestions and clarifications.
Scenario :-
I have the following equipment:
– 2*2900
– 2*ASA5510
– 1*/24-IPV4 Scope
– 1*AS-BGP_PUBLIC
I need to set up a BGP multihome to my single /24 using 2*2900 {4GB RAM } only defaults in.
Configuration assistance requested:
Setting up iBGP + OSPF0 between 2*2900's is simple and pretty straightforward. In fact I was also thinking of setting up AS_PATH Prepend on one of the ISP's to prefer that ISP and then of course local_pref for a preferred way out of my AS. Running static EBGP to the peer ISPs A and B for the same /24 . Thing to note here is that there is only one /24 and 1 link per a 2900 router to 1 ISP.
{ ISPA---1link--routerA & ISPb---1link---routerB }
The issue arises with the ASA's though would you suggest I run a different OSPF area on them like say OSPF1 or HSRP to connect them to the 2900. { Note :- All devices need to be behind the firewall stack and the firewalls are behind the 2900's }. At a later date i will like to add more Firewall stacks and running HSRP would just make everything too messy.
This is all a Single Datacenter setup – same location. Also by firewall stack I mean – Firewalls being deployed in a pair – ACTIVE/STANDBY mode and having more that 1 pair.
So would you suggest running a separate ospf process on the ASA and then redistribute defaults to the backbone OSPF0 Routers or just running HSRP with defaults to the routers.
How should I configure this?
Best Answer
I can't figure out why you are running two instances of OSPF on the the 2900's. This looks way more complicated than it needs to be. You can run OSPF in passive mode on the firewall and distribute a default route from the 2900's. You put a static route on the 2900's for your /24 pointed at your firewall outside IP. Since this is active/standby, if the firewall fails over, the IP address moves with the active firewall. There really is no need to announce anything from the firewall, it is just listening for a default. If you are announcing a default, there is really no need for HSRP either, that can go away. The firewall will just send the traffic to where it hears the default. It might well load balance to both 2900's, though.
Seems you are making it a lot more complicated than it needs to be. There is only ONE firewall address in this configuration so a static route will work just fine. Even so, there is no need for more than one OSPF instance and the only thing you are using that for is to handle the case where a router dies. Then the firewall uses the remaining path where it hears the remaining default route.