I agree with @network_ninja but will extend it a bit.
How I'd solve this
Router1--L3--Router2
| |
| |
Switch1--L2--Switch2
| | |
| | |
PC1 PC2--------+
Router1 and Router2 are running VRRP, HSRP, GLBP or CARP to produce virtual default-GW IP address to the LAN.
This protocol will converse over the Switch core to agree which of the routers is owning the default-GW IP address at any given time.
PC2 is redundant linux server, which is using 'bonding' to redundantly connect to the Switches, it should be configured so that if the the virtual default-gw IP address stops responding to ARP WHO HAS, it'll switch to backup connection. IP address itself is not on the physical interfaces, but on the virtual bonding interface.
Equivalent solution is available to other OS, but often not included in base OS package.
PC1 is non-redundant server.
Switches are not running anything special, no spanning tree (as there is no L2 loop) and no LACP. They can be from different vendors and can be taken down for maintenance separately.
Routers are not running any switching, IP addresses are configured directly in the L3 interfaces facing the switches.
If you choose VRRP as your first-hop-redundancy-protocols, routers can be from different vendor. Each router can be taken down for maintenance separately, by gracefully switching VRRP priority before work on the primary.
Best practice wise - should I let the router or the ASA handle NAT
(Overloading)?
In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).
In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.
I can ping the 172.16.2.2
interface but not 172.16.2.1
from a pc
connected to one of the layer 2 switches (proves intervlan routing is
working -- i have a 172.20.100.8
address on the PC). Why can't I ping
172.16.2.1
from a PC but I can from the Layer 3 Switch?
The ASA 172.16.2.2
is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27
. The echo-reply is actually being forwarded to the Router 172.16.1.1
via the default route.
And most of all -- Why can't I get out to the Internet from the Layer 3 switch?
Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.
Your ASA configuration:
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?
You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.
ASA static routing example:
route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2
Further reading: ASA static routing
Your Cisco Router's configuration:
ip route 0.0.0.0 0.0.0.0 200.200.200.200
Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200
?
Router static routing example:
ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10
Further reading: ISR static routing
I cannot get an ip address right now from the DHCP server (Windows).
Any insight into why?
Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.
From what I can gather from your topology and configuration, the subnets 172.19.3.0/24
, 172.19.12.0/28
and 172.20.100.0/27
should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.
You can remove the ip helper-address
syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.
interface Vlan100
ip address 172.20.100.1 255.255.255.224
ip helper-address 172.20.100.27
Best Answer
You'll need some kind of L2 switch for the HSRP to work for you in this setup. The switch will give your Routers/ASAs what they need to "share" their Layer 3 address (as Ron Maupin said above). I'm guessing you must have these connections currently setup to run directly from each device to the next with no switch fabric in place?
Keep in mind, while you'll have redundancy at the hardware level for the routers you won't have redundancy in your switch fabric for the ASAs/Routers if you only add a single L2 switch. If the switch goes down, your hardware redundancy doesn't do much for you. Consider adding two layer 2 switches at some point in parallel (A and B side if you will) Just something to think about, but I'm sure you have.
L2 Switch ports - configured with a single VLAN shared for both Routers and the Firewalls.
Ports on ASA/Routers - Same you would have normally configured them except with your Routers using HSRP, and your ASAs setup for HA like Active/Standby failover.