Re: HSRP/BGP/Radware

rbinc · ‎07-22-2004

Hi All:

We are looking into adding more T1's for redundancy and possible load balancing. In addition, we want to add another router for fault tolerance in case the existing router dies. Right now, we are looking into 4 T1s, a pair from the same provider. We were thinking about the following configuration but not sure if it will work:

T1 T1 T1 T1

<3725> <3725> (using hsrp)

|

<pix525> <pix525> (failover unit)

The T1s would be configured to use BGP for load balancing at the vendor and then us BGP to load share across the pairs. (I hope that makes sense).

So, my questions are:

1. Could I use hsrp for an internet router?

2. Should I use a radware box instead of bgp altogether for the T1s? Or is RADWARE just hype?

Our goal is to load balance and fault tolerance. We want to make sure we are covered from the T1s to the firewalls.

Any info would be greatly appreciated.

-J

rajesh444 · ‎07-22-2004

Hi,

Yes, it is possible to have HSRP running on your gateway routers.

The following links should be useful:

How to Use HSRP to Provide Redundancy in a Multihomed BGP Network:

http://www.cisco.com/en/US/partner/tech/tk365/tk80/technologies_configuration_example09186a0080093f2c.shtml

Sample Configurations for Load Sharing with BGP in Single and Multihomed Environments:

http://www.cisco.com/en/US/partner/tech/tk365/tk80/technologies_configuration_example09186a00800945bf.shtml

Hope this helps,

Rajesh

vcjones · ‎07-22-2004

Your diagram did not survive the forum's reformatting, but you actually have multiple issues/tradeoff you need to resolve, in addition to your two explicit questions.

But starting with your two questions:

1. Could I use hsrp for an internet router?

Yes you can, on any LAN(s) the two internet routers have common access to. This may or may not be appropriate depending on how the firewalls are attached. It is almost never appropriate if there are any exposures on the LAN, as HSRP does not have strong authentication of peers, leaving it susceptible to DOS attacks.

2. Should I use a radware box instead of bgp altogether for the T1s? Or is RADWARE just hype?

RADWARE makes some good boxes, and they can work. But like your proposed Cisco configuration, it all depends upon how you set it up and manage it. Keep in mind that you actually need two Radware boxes if you don't want to introduce another single point of failure.

A few questions you neglected to ask:

3. What's the best way to configure the firewalls to provide useful redundancy.

4. How should I set up inside the firewalls to provide useful redundancy.

5. Would it be more effective to do my load balancing inside the firewalls instead of outside?

6. Should I use MLPPP on my T1 pairs or equal cost load balancing or ATM IMA?

7. How do I get adequate physical diversity in my T1 lines so the same backhoe doesn't get all four?

You also imply that all your T1 lines go to a single ISP, which leads to...

8. How do I survive a meltdown of my ISP.

And if you are providing a service to the outside world...

9. How do I deal with distributed denial of service attacks.

And, finally,

10. Which is more important: load balancing or fault tolerance?

Note that some of these are questions you need to answer, because they are driven by your business needs.

Load balancing -- fault tolerance -- cost/complexity ... You only get to choose two out of three.

Vincent C Jones

www.networkingunlimited.com