Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1471
Views
0
Helpful
2
Replies

BGP and source based routing

Aaron Street
Level 1
Level 1

‎01-26-2015 08:32 AM - edited ‎03-05-2019 12:39 AM

Hi, 

 

I have 2 X cisco routers running BGP multihomed to our ISP, these two routers connect back in to our firewall (checkpoint) that is in a HA balanced pair. and for simplicities sake lets image I have 2 subnets that I advertise to the ISP A and B. 

 

The ISP has set up two community strings that correspond to the priority they set the route to, so I am currently advertising both subnets out of the primary link with the better community and out the backup link with the poorer community, so all traffic comes in via one link. 

 

What I would like to do is advertise subnet A out of link 1 and subnet B out of link 2, which is straight forward enough, but what I am not sure of is how best to do is the out bound policing.

 

I know I can statically do this on the fire wall if I wanted to, but this does not give me the dynamic fail-over I am looking for, and it means configuring the incoming routing policy on the routers and the outgoing on the firewall. Is there any way for an upstream router to request a downstream router takes the source IP address in to consideration when routing? 

I want to say " for source addresses in subnet A use path to link 1 as DFGW, if source address in subnet B use path to link 2". So I know how to do this with static configuration, but what about with dynamic routing protocols. 

 

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎01-26-2015 09:02 AM

Routing protocols populate the IP routing table and then the router can only forward based on destination IP address.

The only way to do it really is to use PBR on your routers together with tracking to failover if the link goes down. 

Because you have two routers you would need to make one the default gateway for the firewall and then do the PBR there. Which means unless you have a separate link between the routers then traffic for subnet B is going to go to the primary router and then have to be sent back out of the same interface to get to the other router.

This is assuming the inside interfaces are connected to a switch ie. they don't connect directly to the firewalls.

Tracking could be tricky if you are receiving routes from the provider and exchanging them between your BGP routers because there would always be a way to get to the tracked IP so PBR might not realise the link has failed.

Depends on how you have it setup.

Jon

 

0 Helpful

Aaron Street
Level 1
Level 1
In response to Jon Marshall

‎01-26-2015 09:13 AM

Hi, 

 

What I am considering doing is adding the Firewall in to the BGP domain, so it is aware of the exteranl link status to the ISP from both external routers. Although I could do the same by having the external routers advertise the default gateways (default information originate) with a tag/different metrics. 

this way the fire wall will see two OSPF advertisements, one from each external router, this is exactly what happens now. with the primary sending a route with higher priority. 

Question then.. Can I use the presence of a dynamic route in the policy of a router map? 

"if source = A then use next hop of OSPF/BGP route of tag Y"

 

I will go look :) as if so this is an answer to the issue. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card