XG-1537 HA Pair - Dual WAN + Point to Point
I am beginning to install a Netgate XG-1537 HA pair with the additional x41G ports to replace some aging Cisco ASA 5520's. My planned method is to insert the pfSense cluster into the mix and merge away from the ASA's.
Inherited network engineered in the mid 2000's with several quirky design "features" from what I have gathered thus far:
- WAN1 Microwave feeds into main Cisco ASA 5520 with static IP /30 network 10M symmetrical, the inside interface of the ASA is using a 192.5.* /23 routable network on VLAN #. This ASA is mainly acting as a router, VPN termination and firewall.
- WAN2 from a cable modem 650M pipe which feeds directly into a Cisco 3570G stacked switch acting as the main router for the network. Acts as some sort of Public/Private WiFi circuit to separate the wireless traffic onto a fat pipe on its own VLAN ##.
- PTP dedicated ethernet circuit from your friendly cable provider in a different part of the building to connect a remote branch office a mile or two from the main facility, ~300M circuit. This circuit appears to pass through a layer 2 switch then up to a core switch then to another Cisco ASA 5520 acting as a router on a stick. I still need to crack into the ASA as the admin password is not known. There is some EIGRP in the mix on this Point to Point with some of the 3750's in the fleet.
- The LAN consists of a couple handfuls of VLANS running on the core LAN and access switches. Something in the range of 400-500 devices. The VLANs and switchports have not been managed very well so there is some VLAN hopping going on and all sorts of shenanigans.
I still have my hard copy of the original pfSense Definitive guide and still use some of the pearls contained within. I am looking at Chapter 20 for the old timers...
My plan is to deploy the pfSense HA pair, one at the East end and one at the West End of the building, fiber with media converters for the Sync link into the XG-1537. Move WAN2 from the old central data center to the West side of the building and keep the WAN1 Microwave in the center and split it to East and West using fiber with media converters into the 1537.
Which would be the most flexible and scalable for failover and redundancy? I am looking at figure 20.11 in the book and the HA config in the online book.
Route the conductors for the WAN circuits 1 and 2 into the area of each 1537, set a switch with configured VLANs then configure a trunk to go into the WAN port of the 1537 on each side, or come out of the switch into the WAN with one circuit and into OPT1 with the other.
The Point to Point circuit will need to figure into the mix on OPT2 or can it be included in the router on a stick design for multiWAN config. And the HA Redundancy section of the current docs.
- Isolate the WAN1 ASA by migrating all VPN's away to the pfSense cluster
- The ISP for WAN1 was nice enough to provide me with an additional /28 static block right from their router on prem, outside of the WAN1 static block. I have configured HA and assigned that to the WAN interface of the HA pair.
with the pfSense cluster is the bring together WAN1 and WAN2 for some failover and redundancy, possibly some load balancing.
- I am still wondering how to integrate that ASA inside routable 192.5. /23 network VLAN# away from the ASA, whether I should create my own LAN and leave that as a DMZ
- Isolate the Wireless VLAN## away from the cable modem and use OPT2 as a wireless captive portal and keep it completely separate or keep it on its own internal VLAN. (Rukus Controllers)
- I have run ASA cleanup to get rid of some of the cruft that has accumulated over the years... ~700 lines.. ; |
- I would like to use the 10G interfaces to tap directly into my aggregation switches on each end. Typical Cisco 3 tier arch on this design folks. I plan on using 40G spine and 10G leaf arch after the firewall extraction is complete.
Does this sound sane or should I simply bit the big bullet and rip the ASA out and emulate the crusty and obscenely insane config with all sorts of old and outdated static routes and network groups and hosts and ... yuck.
Thanks for listening!