Options

AdTran Routers or ASA firewalls needed for EVPL?

tdeantdean Member Posts: 520
in Off-Topic
we are upgrading our Verizon E-Lan point to point connection with an EVPL. the verizon guy wants us to put in 2 AdTran routers and config each end like that. We are currently adding an ASA 5510 at each location. wouldnt the firewalls be needed anyway? It seems the AdTrans are redundant since routing can be done on the ASA's?..... Am i wrong?
· Share on FacebookShare on Twitter

Comments

  • Options
    unclericounclerico Member Posts: 237 ■■■■□□□□□□
    I think your security requirements will dictate whether the firewalls are needed. My view of ASAs is that they are not routers. Yes, they have support for dynamic routing protocols, but I feel the support is for basic connectivity only. The QoS feature set isn't as robust as what you'll find in a router as well. Again, your requirements will dictate whether or not the ASAs will provide you with the features that you require. Adtrans are nice devices, very similar look and feel to IOS, so you can't go wrong.
    Preparing for CCIE Written
    · Share on FacebookShare on Twitter
  • Options
    tdeantdean Member Posts: 520
    Hi unclerico,Thanks for the reply; right now, the e-lan is going through the firewalls. (Watchguard's we are getting rid of) I'm trying to figure how the config would work in both scenarios. If i go only routers, I'd have to add the ip routes or subnets for each location and go right into the switch? If i go routers and firewalls, id do the routing on the ASA devices and have the routers point to the "outside" interface?
    · Share on FacebookShare on Twitter
  • Options
    it_consultantit_consultant Member Posts: 1,903
    There is no reason why you need to keep firewalls on either end of the point to point. The ad trans are a good option and what I use frequently on COE and optical WAN connections. You may NEED to have the ad trans there no matter what to break out PRI's or convert SIP trunks to PRIs for termination into a phone switch.
    · Share on FacebookShare on Twitter
  • Options
    unclericounclerico Member Posts: 237 ■■■■□□□□□□
    tdean wrote: »
    Hi unclerico,Thanks for the reply; right now, the e-lan is going through the firewalls. (Watchguard's we are getting rid of) I'm trying to figure how the config would work in both scenarios. If i go only routers, I'd have to add the ip routes or subnets for each location and go right into the switch? If i go routers and firewalls, id do the routing on the ASA devices and have the routers point to the "outside" interface?
    Well, you essentially have two configs; one will be with either an ASA, Adtran, or multilayer switch on both sides of the P2P and the other will be with either an Adtran and an ASA or a L3 switch and an ASA. The first option you'll simply assign one interface ("outside") on each device an IP out of the /30 that you'll receive from your SP. One of the other interfaces ("inside") on each device will have an IP that connects to the rest of each LAN. The second option, you assign one interface on each device an IP out of the /30. You'll then configure another /30 to connect the "inside" of the router/L3 switch to the "outside" of the firewall. From there you assign the "inside" interface of each firewall an IP on each respective LAN it will connect to.

    I want to piggyback on what it_consultant said and reiterate that the device(s) you choose to terminate the connection will depend on your requirements. If you have a security requirement then you'll probably want to use the ASAs in some capacity. If you have requirements for VoIP termination, etc. then you will want to make sure you use either a router or L3 switch to terminate the circuit.
    Preparing for CCIE Written
    · Share on FacebookShare on Twitter
  • Options
    it_consultantit_consultant Member Posts: 1,903
    Interestingly I have a similar scenario that is about to unfold for me and one of my clients. They currently have two sites linked by a VPN, security, NAT, and VPN are provided by a watchguard on either end of the tunnel. We are putting in a 10 MB point to point over Comcast (yes, I said Comcast) fiber. We are going to keep a cable modem at the small office for BS internet traffic but keep the P2P for voice (SIP phones) and business applications. I will keep the cable modem plugged into my untrusted port on the firewall (in my small location) and let it do its thing accordingly. Since the P2P is a layer 2 connection, I could just plug that into my switch and call it a day but since I don't feel like renumbering my small office with new IP addresses, I will configure one of the additional ports on the Watchguard as type "optional" and assign a unique IP address. The WG will automatically route between the optional and trusted networks. On my other WG I will do the same and since the P2P is a broadcast domain between the two ends, I can simply use the same network as I assigned on the other WG's optional interface. This way my default gateway is aware of the alternate network over the P2P link.

    I do this because I am keeping a cable modem at that location and I have to web filter them through the firewall. If I didn't do that I would set up a layer 3 port on one of my switches (at the remote location)and assign it an IP on the network of the other side of the p2p link, I would then set up a subinterface on that routing port with what will be the default gateway of the local network. I would then keep my other location basically unchanged.

    Remember that a p2p is a layer 2 connection so you can theoretically run a huge layer 2 network on the native VLAN. Or you could skip all the routing, keep all the connections like you were to do a large layer 2 network and divide it up into VLANs to hold down ARP traffic. Lots of options.
    · Share on FacebookShare on Twitter
  • Options
    tdeantdean Member Posts: 520
    Wow.... exactly what i was looking for. Great info guys.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.