Firewall and Addressing questions

SimridSimrid Member Posts: 327
in CCNP
Hi All,

I have a few questions regarding switching and default gateways within a real world environment:

1) Within a properly designed network (access, distribution, core), first hop redundancy protocols could be used at the distribution level. If I then wanted to forward the traffic off campus connected to the other end of the core router, would you issue the ip default-gateway command on the switch or would you create a static route to forward the needed traffic across the core link or to the outside world?

2) Firewalls then come into the situation, would you make your default gateway (considering that's where NAT happens) the inside interface of the ASA firewall? If not, would you create a static route again?

3) When you are using a ASA firewall, do you need to create a policy map to allow for routing updates such as OSPF to go outside to inside etc?

I hope this makes sense.

Thanks.
Network Engineer | London, UK | Currently working on: CCIE Routing & Switching

sriddle.co.uk
uk.linkedin.com/in/simonriddle
· Share on FacebookShare on Twitter

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    The ip-default gateway command is not for forwarded traffic. You would use a default route in that situation.

    It really depends on your design. Usually the default gateway as the inside IP is fine. Unfortunately ASAs do not support secondary IPs so a lot of time people will do a P2P with a router and route blocks at it.

    You aren't going to be sending routing updates through the firewall.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • SimridSimrid Member Posts: 327
    Thanks for your reply. Interesting, I guess running HSRP at the distribution level will still help to provide resilience within your network. Of course I won't be, my derp mistake! Thanks for picking up on that.

    These questions were in line for my new job I start next week, trying to cram in a lot of bits before I start. Thanks for clarifying.
    Network Engineer | London, UK | Currently working on: CCIE Routing & Switching

    sriddle.co.uk
    uk.linkedin.com/in/simonriddle
    · Share on FacebookShare on Twitter
  • shortstop20shortstop20 Member Posts: 161 ■■■□□□□□□□
    Simrid wrote: »
    Hi All,

    I have a few questions regarding switching and default gateways within a real world environment:

    1) Within a properly designed network (access, distribution, core), first hop redundancy protocols could be used at the distribution level. If I then wanted to forward the traffic off campus connected to the other end of the core router, would you issue the ip default-gateway command on the switch or would you create a static route to forward the needed traffic across the core link or to the outside world?

    2) Firewalls then come into the situation, would you make your default gateway (considering that's where NAT happens) the inside interface of the ASA firewall? If not, would you create a static route again?

    3) When you are using a ASA firewall, do you need to create a policy map to allow for routing updates such as OSPF to go outside to inside etc?

    I hope this makes sense.

    Thanks.


    1) There would be either a routing protocol or some static routes between the distribution and core layers. That is what would be used to forward the traffic.

    2) Typically, a clients default gateway would be on a Layer 3 switch or possibly a router. Then you'd route between the Switch/Router and the Firewall.

    3) You wouldn't have routes passing thru the ASA.
    CCNA Security - 6/11/2018
    CCNP TShoot - 3/7/2018
    CCNP Route - 1/31/2018
    CCNP Switch - 12/10/2015
    CCNA R/S - 1/14/2015
    · Share on FacebookShare on Twitter
Sign In or Register to comment.