Border topology for largish enterprise http://www.freeimagehosting.net/uploads/d24ede3b2f.png
Let's say you've got an enterprise with a small internet presence in the form of a DNS server, a web server, and a VPN server, all on the DMZ (in this case, an invisible pair of switches connected directly to the firewalls). There are also 20,000 nodes inside the enterprise network, spread across lots of buildings, with lots of routers and vlans and such. The enterprise is full of very important, very busy people who like to be able to get to facebook without delay… Everything gets natted; the DMZ has static symmetric NATs and everyone else gets to share outgoing IP addresses from a pool set aside for this purpose.
The border is a pair of routers connected to each other and the firewalls via a pair of gig ethernet switches, and to the ISPs via metro ethernet and are connected to the ISPs via metro ethernet. The border routers exchange routes with the ISPs via eBGP and with each other via iBGP. The interior network has diverse routes to any point in the network and uses a dynamic routing protocol to manage failover and route distribution.
The firewalls are connected to the enterprise core via a pair of routers in the datacenter.
My question is this:
Static routes or dynamic routing protocols?
-
static routes:
Each set of devices has static routes and uses some mechanism like VRRP or HSRP to manage the L2<->L3 failover. The firewalls would point to the virtual address for the border routers for the enterprise default route, the interior routers would point to the virtual address of the firewalls for their default route, and the firewalls would point to the virtual address of the interior routers for 10.0.0.0/8.
-
dynamic routing:
Use iBGP between the firewalls and the border routers and OSPF / EIGRP between the firewall and the interior routers.
I've seen that people use the static route model far more often than the dynamic routing model. My question is — why?
What are the best practices for this sort of topology? Or is this just a religious sort of issue?
Best Answer
Put external routers into HSRP/VRRP pair. Get an AS. Start doing BGP with your ISPs.
Then, everywhere inside your environment, the paths will be static. You just need to have failover, and that's what's achieved with VRRP/HSRP and firewalls in A/A or A/S configuration.
Alternatives are messier and/or less robust: