Solved: Re: Asymmetric Routing

rkalia1 · ‎08-21-2008

I have a scenario where Asymmetric Routing can give problems.I have 2 edge routers connecting to 2 different ISPs say ISP1 and ISP2.Preferred ISP is ISP1 for incoming and outgoing traffic. HSRP runs between inside interfaces of these routers and track the outside interface at the same time. These routers run Cisco IOS firewall too but the model of the router does not support Stateful Failover between the firewalls running on these two routers. Router model is 2811. Cisco has confirmed this. Now I have IPSec VPNs also terminated on the HSRP IP on this pair. We have configured eBGP so that send/receive traffic is through ISP1 and ISP2 path is standby and takes over if ISP1 link fails as per HSRP tracking.Now my question is that despite symmetric routing configuration in eBGP to send/receive traffic through ISP1 is there any chance that the return traffic may come through ISP2. If it does then this design has problems as the packet at the other router will get dropped as it is also running Stateful IOS firewall on it. Can anybody help me on this please?

Edison Ortiz · ‎08-27-2008

Your assumption is correct and you have to discuss with both ISPs on the best way to manipulate the return traffic. It's up to them, how to apply the best implementation because they are the one in control.

Good luck.

HTH,

__

Edison.

View solution in original post

Edison Ortiz · ‎08-21-2008

If you are using BGP in ISP2, you can use AS_PATH prepend out on that peer so the return traffic prefers the shortest path into your network which would be ISP1.

HTH,

__

Edison.

rkalia1 · ‎08-21-2008

I have done that already. Scenario is still to be tested though. But my apprehension is that even after doing this 100% symmetric routing can be achieved or not? Is there still a chance of return traffic to enter the network via second router and not the preferred one?

Edison Ortiz · ‎08-21-2008

You have very little control over the return traffic. If ISP2 does not observe your AS_PATH prepend, traffic can potentially come via that circuit.

__

Edison.

rkalia1 · ‎08-27-2008

Ediortiz, One more thing I want to clarify. If IPS2 refuses to observe AS_PATH prepend then I have a situation. As I am running 2 routers in parallel without a Stateful Failover and also running IOS firewall so it may happen that when the traffic returns through the ISP2 it will not find any TCP connection in the Stateful Table for allowing the return traffic and may drop the traffic. Please let me know if my assumption is correct.

Edison Ortiz · ‎08-27-2008

Your assumption is correct and you have to discuss with both ISPs on the best way to manipulate the return traffic. It's up to them, how to apply the best implementation because they are the one in control.

Good luck.

HTH,

__

Edison.

rkalia1 · ‎08-27-2008

Thanks man!!

Lei Tian · ‎08-23-2008

You can try to advertise out more specific routes to ISP1 and the summary route to ISP2. For example advertise out x.x.x.x/25 on your router connect to ISP1, advertise out x.x.x.x/24 on your router connect to ISP2.

Lei

Edison Ortiz · ‎08-27-2008

Lei,

Good approach, however - most ISPs don't allow a route with a subnet mask less than 24.

__

Edison.