Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2082
Views
5
Helpful
6
Replies

BGP Design & config help

Go to solution
a.hajhamad
Level 4
Level 4

‎09-25-2017 01:15 PM - edited ‎03-05-2019 09:11 AM

i have similar post at LAN, Routing and switcing section by mistake and i tried to delete it or move it here to the WAN, Routing and switching but i can't.

Anyway, here is my discussion post and i hope the admin can delete the duplicate post at the LAN, Routing and Switching :)

 

my discussion post is:

 

Hello,

I have two cisco routers (R1 & R2), that is connected to one ISP for internet connectivity and also connected to two fortigate units as described in the attached diagram.

i want the outbound traffic "browsing for my users" to go through R1 and backup to R2. and also my servers IP which are hosted at my side to go through R2.

For outbound traffic: i will get the default route from the ISP using eBGP and i will prefer for example R1 other than R2 using BGP local preference.

For Inbound traffic: i will add my network which is /27 at both routers R1 & R2, and some IPs (for servers) inside this network i will advertise them using R2 as /32 for each IP and as a backup using R1 in case R2 or its link down, and the major network /27 will be advertised using R1 and as a backup using R2 using BGP AS prepend.

i.e: i will do AS prepend for /27 with two AS paths for example at R2.

and also AS prepend for each /32 for the servers with two AS paths for example at R1.

 

i'm planning to configure the OSPF between R1, R2, and the fortigate unit in order to redistribute the default route learned from eBGP into the OSPF.

my questions:

1- is it a good design? or maybe there is a better one?

2- Do i need to redistribute my major network and also some IPs as mentioned above /32 from OSPF into BGP or it is OK if i add them as a static router at both R1 & R2 to fortigate as their next hop?

3- For inbound traffic towards the servers IPs inside the major network have AS path preferred towards R2 from the ISP side as i planned & configured, but i think i have a problem when their reply traffic it will go through R1 since the default route is preferred through R1 as i planned, do i need to apply a policy route at the fortigate to go through R2?

 

thanks in advance

 

 

 

Labels:
Preview file
11 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to a.hajhamad

‎09-26-2017 07:26 AM

Hey,

For your 1st point, yes as I said if you want to do everything automatic then it's gonna be better to use dynamic routing such as OSPF or even BGP. Some companies don't like having dynamic routing in this security layer.

For the 2nd point:
- If you don't use any nat or PBR solutions, even if inbound traffic came from R2, the outbound will go through R1. This is the easiest part of your solution. The most complex (not technical) is to agree with your ISP to send your traffic for specific IPs (subnets) to your R2 link instead of R1. Why it's gonna be complex. It really depend on ISPs, then I would just recommend to talk with them first. Some of them, just send you networks (full BGP table or default route) but won't accept any inbound networks (not learning what you're sending); some of them would but will send the traffic to 1 link and the other only if the 1st goes down.

As you want to loadbalance your traffic, you'll need to discuss with them if they want or can. then the solution could be as-path prepend or either isp community. Most of them have those community defining primary routes, secondary ....

Is that clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

6 Replies 6

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-25-2017 04:10 PM

Hi

 

first of all, the networks you want to advertise to your ISP are your own public IP range?

 

The design is pretty standard.

 

You can use either OSPF or static routes between your WAN routers and firewalls. Personnaly, I prefer using static routes in that part of the network. On your BGP process, you'll advertise your subnets using the network statement instead of redistributing your static routes. 

 

Now, in terms of ISP:

 - You need first to ask if they're able to do such things. Not all ISPs want to go in such detail.

 - If they're ok, you can use AS-PATH prepend or either bgp community. Lot of them have already some community defined for primary and secondary routes. If so, then you'll just need to add the right community for the right subnet to say this one on R1 side is primary and on R2 the same is secondary. 

 

Now regarding, the return traffic for your internal servers that receives traffic from R2, you have 2 choices:

- if the routing for the small subnet /27 is configured well to go outside through R2, you can use 1 free IP to nat your traffic to a specific R2 ip. Let's take an example. If you have a /26 public ip range (1.1.1.0/26). You can organize your network to have the 1st half (1.1.1.0/27) to go through R1 and the 2nd half (1.1.1.32/26) to go through R2. If that's the case, then nat your server traffic to an IP from the 2nd half to ensure that traffic goes through R2. Then you have another nat (less priority) to go through R1 when R2 is down. Hope that's clear :-)

- Or as you mentionned, you'll need to do PBR.

 

Hope that clarify things.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
a.hajhamad
Level 4
Level 4
In response to Francesco Molino

‎09-25-2017 11:08 PM

Hello Francesco,

thank you for your reply.

- Regarding define a static route instead of the OSPF at this part of the network, and in process to define a default route at the firewals, what is the next hop for that default static route is it R1 or R2, i see doing OSPF is better since when i receive the default route from eBGP with local preference higher at R1 than R2, it will be distributed to the firewalls using OSPF with R1 as next-hop better than R2.

- Regarding the return traffic, and if i understand you well,  the request will be go to the ISP and then go through R2 as configured, but the return traffic will go through the default route which is configured through R1.

 

thanks

0 Helpful

Go to solution
Ibrahim Jamil
Level 6
Level 6
In response to a.hajhamad

‎09-26-2017 02:10 AM

Hi

 

since you have multihoming to the same ISP , than ur providor will tell you the Optimum way to route ur traffic In/Out according to his Policy

 

thanks

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to a.hajhamad

‎09-26-2017 07:26 AM

Hey,

For your 1st point, yes as I said if you want to do everything automatic then it's gonna be better to use dynamic routing such as OSPF or even BGP. Some companies don't like having dynamic routing in this security layer.

For the 2nd point:
- If you don't use any nat or PBR solutions, even if inbound traffic came from R2, the outbound will go through R1. This is the easiest part of your solution. The most complex (not technical) is to agree with your ISP to send your traffic for specific IPs (subnets) to your R2 link instead of R1. Why it's gonna be complex. It really depend on ISPs, then I would just recommend to talk with them first. Some of them, just send you networks (full BGP table or default route) but won't accept any inbound networks (not learning what you're sending); some of them would but will send the traffic to 1 link and the other only if the 1st goes down.

As you want to loadbalance your traffic, you'll need to discuss with them if they want or can. then the solution could be as-path prepend or either isp community. Most of them have those community defining primary routes, secondary ....

Is that clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
a.hajhamad
Level 4
Level 4
In response to Francesco Molino

‎09-26-2017 07:50 AM

Yes thank you.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to a.hajhamad

‎09-26-2017 07:51 AM

You're very welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card