04-24-2023 11:49 PM
Hello,
I'm planning for a new FTD setup where the outside interface on the FTD connects with an etherchannel to a switchstack. On the same outside subnet there will be two ASR 1001 routers, each connected to different ISP:s. Now on the FTD I want to add both those ASR routers as default gateways and load balance the traffic between then and also use IP SLA if one of the ASR interface is down.
Would it be possible to achive this by just adding two static routes with the same metric in the FTD, using the ASR routers as gateways and then add tracking with two IP SLA objects - one for each router interface?
I'm a bit unsure if this will be enough or if I need to configure ECMP as well?
Thanks
/Chess
04-25-2023 12:19 AM
@Chess Norris you can use ECMP zones to group the outside interfaces and load balance
04-25-2023 12:49 AM
@Rob Ingram In this case there is only a singe outside interface on the FTD and the two ASR routers are on the same subnet. Is ECMP still a requirement or is it only for situations were you are using multiple interfaces on the FTD?
04-25-2023 12:52 AM
@Chess Norris ok, FTD ECMP would be if you had multiple interfaces on the FTD.
In your situation then you only have 1 interface and 1 next hop, so if the ASR router has equal cost routes to the internet, let the ASR do the ECMP.
04-25-2023 01:39 AM
@Rob Ingram It will be only 1 interface on the FTD, but two next hop (one to each ASR)
04-25-2023 01:49 AM
@Chess Norris ok, so the switch is merely L2 then, so configure 2 default routes on the FTD.
04-25-2023 01:55 AM
Thanks Rob. We will try with that.
04-25-2023 01:03 AM - edited 04-25-2023 01:03 AM
Config hsrp in asr and add defualt route in FTD toward the the VIP of hsrp.
This give you redundacy not load balance
04-25-2023 01:29 AM - edited 04-25-2023 01:29 AM
I've suggested HSRP to the network team, but they was a bit doubtful to use it due to some previous issues with HSRP on ASR rotuers. Will it work by configuring two default gateways on the FTD with the same metric instead?
04-25-2023 01:44 AM - edited 04-25-2023 01:57 AM
You can associate the ECMP zone interfaces with equal cost static route by defining them with same destination and metric value, but with different gateway.
the FTD ECMP guide dont specify if you can or can not use same interface but it mention you must use different gateway and that same in your case, you use two gateway.
you can try and add same interface and check if FTD can accept it.
04-25-2023 08:22 AM
I have used ASRs with separate ISPs as the devices to make routing decisions regarding availability and best path. Standard eBGP to the world and iBGP between them. Then an HSRP VIP that the FTD device points to as the default gateway for first hop redundancy.
That way the firewall has the simplest possible external routing and you still get all the benefits of BGP full tables along with resiliency, redundancy etc.
04-25-2023 08:25 AM
I already suggest to him hsrp but he mention that asr have some issue with hsrp.
Thanks
04-25-2023 08:31 AM
I've used HSRP this way successfully on several deployment where the customer ASR is the small-medium type (1002, 1006 models I recall) running IOS-XE.
I have not had the chance to try it on one of the big ASR 9k series models that run IOS-XR.
04-26-2023 05:13 AM
HSRP was my first thought as well, but the network team that deals with the routers was against from previous experiences. Anyway thanks for confirming that HSRP is working and we can have that as a backup plan if the other solution doesn't work.
/Chess
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide