I have 2 X cisco routers running BGP multihomed to our ISP, these two routers connect back in to our firewall (checkpoint) that is in a HA balanced pair. and for simplicities sake lets image I have 2 subnets that I advertise to the ISP A and B.
The ISP has set up two community strings that correspond to the priority they set the route to, so I am currently advertising both subnets out of the primary link with the better community and out the backup link with the poorer community, so all traffic comes in via one link.
What I would like to do is advertise subnet A out of link 1 and subnet B out of link 2, which is straight forward enough, but what I am not sure of is how best to do is the out bound policing.
I know I can statically do this on the fire wall if I wanted to, but this does not give me the dynamic fail-over I am looking for, and it means configuring the incoming routing policy on the routers and the outgoing on the firewall. Is there any way for an upstream router to request a downstream router takes the source IP address in to consideration when routing?
I want to say " for source addresses in subnet A use path to link 1 as DFGW, if source address in subnet B use path to link 2". So I know how to do this with static configuration, but what about with dynamic routing protocols.
Routing protocols populate the IP routing table and then the router can only forward based on destination IP address.
The only way to do it really is to use PBR on your routers together with tracking to failover if the link goes down.
Because you have two routers you would need to make one the default gateway for the firewall and then do the PBR there. Which means unless you have a separate link between the routers then traffic for subnet B is going to go to the primary router and then have to be sent back out of the same interface to get to the other router.
This is assuming the inside interfaces are connected to a switch ie. they don't connect directly to the firewalls.
Tracking could be tricky if you are receiving routes from the provider and exchanging them between your BGP routers because there would always be a way to get to the tracked IP so PBR might not realise the link has failed.
What I am considering doing is adding the Firewall in to the BGP domain, so it is aware of the exteranl link status to the ISP from both external routers. Although I could do the same by having the external routers advertise the default gateways (default information originate) with a tag/different metrics.
this way the fire wall will see two OSPF advertisements, one from each external router, this is exactly what happens now. with the primary sending a route with higher priority.
Question then.. Can I use the presence of a dynamic route in the policy of a router map?
"if source = A then use next hop of OSPF/BGP route of tag Y"
I will go look :) as if so this is an answer to the issue.
We know that the Type-1 LSA describes the link type connected to the router, the neighbor router and the subnet number.In this topology, assume we dont have a Type-2 LSA, so each router will create its own Type-1 LSA, the Type-1 LSA will describe the neig...
Here are some commonly asked questions and answers to help with your adoption of Cisco DNA Center Wireless. Subscribe to this post to stay up-to-date with the latest Q&A and recommended Ask the Experts (ATXs) sessions to attend.
Q. I have a Cisco Appl...
Why IETF changed and inverted OSPF Type-7 LSA VS Type-5 LSA election In RFC 3101 compared to OLD RFC 1587?Many people learns that the Type-7 LSA and Type-5 election (ON Versus OE routes) depends on RFC 3101 for NSSA published in 2003 and RFC 1587 for NSSA...
OSPF Routing Protocol The Ultimate : CCIE Enterprise Infrastructure Exam Kindle Edition Description:OSPF Routing Protocol is a big topic in CCIE Enterprise exam, This workbook is written and dedicated for people and candidates who prepare the CCIE E...