Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2154
Views
0
Helpful
3
Replies

BGP multi-homing with two different providers – iBGP and traversal question.

kscottwoody
Level 1
Level 1

‎11-15-2013 11:59 AM - edited ‎03-03-2019 07:13 AM

I have two internet connections.  Both connections are with different providers and on two separate routers.  I have two ASA’s that sit behind the routers and I proxy arp all hosted services off of the ASA’s outside interface.

I am obtaining a provider independent AS number from ARIN and would like to setup eBGP peering with each provider, accepting a default route only and advertise my leased block (let’s say 50.100.150.0/24).  I’d like to prepend my AS  on the ISP-B connection to ensure that it is only used as backup.

Here is the real question.  I know I will need to allow TCP-179 through the ASA’s to establish the iBGP connection but because the hosts that I have at site A are proxy-arp’d off of the firewall outside interface, I need some way for traffic to come in from ISP-B, to router B and then traverse over to router A so that it can be sent to ASA-Firewall A.  (please see attached diagram).  What is the best way to accomplish this?  GRE tunnel between the routers & through the firewalls?  I have ample bandwidth and low latency between site A and B.

Thanks

Labels:
Preview file
25 KB
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎11-15-2013 05:17 PM

I run iBGP between the routers in the 50.100.150.0/24 network. There's no technical need to have iBGP running on your internal network.

0 Helpful

Peter Koltl
Level 7
Level 7
In response to Collin Clark

‎11-24-2013 03:08 AM

Is that orange line a direct connection between CPE routers? If yes, a direct iBGP connection is possible. If not, I suggest that you obtain one as it is almost impossible to make the ASAs stay in sync with BGP routing. (-: If you can't, then GRE could be a workaround.

Is ASA redundancy a requirement too? (I mean in case ASA-A fails, are the site-A servers supposed to be accessible via ASA-B?) If yes, you must ensure that the outgoing traffic (default route in internal network) is in sync with active ISP and asymmetric routing is prevented. You can solve that with object tracking and you need the same static NATs in both ASAs.

I would consider creating shared VLANs on ASA interfaces and form a failover pair too but it's a different setup.

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni

‎11-30-2013 06:29 AM

be careful with your setup is you may end up blackwhole your traffic because you have FWs in the path

are these fairewalls statful or not ? are they clustered or standalone ?

0 Helpful
Customers Also Viewed These Support Documents