2 ISPs, 2 BGP routers, 1 Firewall, L3 core: What's the best way to balance outbound traffic?

2ndcongress · ‎06-14-2017

Dear Experts,

We're working with a client to redesign their datacenter network from scratch. Client has plenty of equipment so we have a fair amount of flexibility in how the new network will be put together.

Having read a number of forum posts and whitepapers on various inbound and outbound load balancing/sharing approaches, I'm in need of some expert advice on how best to accomplish outbound load balancing/sharing across two ISP's.

Objectives:

1) To keep the design as simple and easy to maintain (and diagnose) as possible.

2) The ability to influence outgoing traffic in a way that will utilize both ISP connections. The outbound traffic split doesn't have to be perfect, and the rules don't have to be especially granular. The client has very bursty outbound traffic, so it is highly desirable to split the outbound over both ISP's to the extent possible.

3) If there is a way to keep inbound and outbound session traffic nailed to the same ISP, that would seem to be desirable.

Relevant details:

The two ASR1K routers are capable of running full routing tables.
We have a pair of ASA5585-X firewalls which we can set up as active/active or active/standby. Current plan is to set them up as active/standby using a single HSRP standby IP address as a default gateway for outbound internet traffic. If there are advantages to dedicating a firewall to each ISP/ASR, we're not opposed to maintaining two separate firewalls.
We have layer-3 switches so routing at the switch level is certainly possible.
We have extra ASR routers on hand that can be utilized if additional routers would improve the design.
The client has a very large block of BGP IPV4 addresses which they own.
The client actually owns two different AS numbers that can be used simultaneously if advantageous in some way.
The current plan for balancing inbound traffic is to break out individual /24's and influence the inbound balance by prepending additional hops.
I have run EIGRP in the past between ASA firewalls and core switches. If I had to choose an interior routing protocol, EIGRP would be preferred.
The current plan is to do NAT in the firewall for some but not all public IP's. The client has some virtual servers with hundreds of public IP addresses configured on them directly, so it is not easy to convert everything to a NAT'd DMZ/Public IP address pair.
We're a little unclear on what would happen if session traffic were to come in on ISP1 and be routed out ISP2. If the outbound route selected is completely independent of the inbound route, wouldn't that break https sessions?

Questions:

1) Is EIGRP between the ASA and the ASR routers an option?

2) What's the best way to do this?

Thank you!

Georg Pauwen · ‎06-14-2017

Hello,

first of all, with two ISPs, and since BGP selects only one single best path to a destination learned from different ASs, you cannot do load balancing. Load sharing is possible though.

Looking at your setup, in addition to running EIGRP between the ASA and the ASR routers, I would also configure a link between both ASR routers and make it an HSRP setup. You can then use AS-path prepending or community string for HSRP load sharing (see the link below for sample configurations (check Topology 6):

http://showipbgp.com/bgp-configurations/cisco.html

cofee · ‎06-14-2017

George,

can't they use local preference to manipulate outbound traffic and use AS prepending as you suggested for inbound traffic if both internal routers are ibgp neighbors? Use both the attributes in such a way that if isp 1 is used for prefix X for outbound traffic then return traffic is also via isp 1 for prefix X .