Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2239
Views
10
Helpful
6
Replies

BGP Graceful Restart with Firewall Pair connected to IOS-XE switches

j.a.m.e.s
Level 4
Level 4

‎02-08-2021 02:08 PM

Dear All,

I have a pair of Cat9500 switches which peer with other single-sup switches as well as a pair for Fortigate firewalls which are running as an FGCP cluster. With FGCP, the firewall MACs and IPs float to the standby unit after a failover and GARP is issued. Fortinet have recommended activating BGP Graceful Restart to minimize disruption following a failover event.

 

I have read the IOS-XE guide on BGP Graceful Restart, but I'm confused about what I need to configure on the switch side:

 

  1. Is only the Graceful Restart Helper needed on the switches, since only the firewalls are clustered?
  2. On IOS-XE can the helper be activated independently of Graceful Restart itself?
  3. Is there any danger if Graceful Restart is activated on the other peerings? (i.e. with other singe-sup switches)

I have searched the documentation, but I couldn't find answers for ios-xe. nx-os appears to be simpler because it has Graceful Restart and the helper activated by default on all peers and has a separate toggle for the helper.

Many thanks for any insight.

James.

Labels:
0 Helpful
6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-08-2021 11:59 PM

Hello @j.a.m.e.s ,

 

1)

>> Is only the Graceful Restart Helper needed on the switches, since only the firewalls are clustered?

Yes if your switches have a single supervisor and they are standalone not forming an SVL pair ( VSS in old terms) they can only act as helpers.

 

3)

>> Is there any danger if Graceful Restart is activated on the other peerings? (i.e. with other singe-sup switches)

No because each BGP peer will negotiate the supported capabilities at session setup so if they do not support graceful restart for being single supervisor graceful restart will not be used on that session.

 

2) in the guide yo have provided you can use

neighbor ip-address ha-mode graceful-restart

 

However, I agree there is not a specific command to enable only the helper feature that is a subset of the full graceful restart capability.

But the timers can be tuned only with the global command.

 

Hope to help

Giuseppe

 

0 Helpful

j.a.m.e.s
Level 4
Level 4
In response to Giuseppe Larosa

‎02-09-2021 01:11 AM - edited ‎02-09-2021 01:41 AM

Thank you Guiseppe, that does help.  I would just like to clarify this point with you:

 

>> Is there any danger if Graceful Restart is activated on the other peerings? (i.e. with other singe-sup switches)

> No because each BGP peer will negotiate the supported capabilities at session setup so if they do not support graceful restart for being single supervisor graceful restart will not be used on that session.

 

If I was to globally enable graceful-restart on all my Cat9500 switches then reset the peerings between them, they would presumably advertise the GR capabilities to each other but they wouldn't actually invoke a GR because they are single-sup?

 

Regards

James.

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to j.a.m.e.s

‎02-09-2021 02:39 AM

Hello @j.a.m.e.s ,

>> If I was to globally enable graceful-restart on all my Cat9500 switches then reset the peerings between them, they would presumably advertise the GR capabilities to each other but they wouldn't actually invoke a GR because they are single-sup?

 

I think they are going to declare themselves as not GR capable on each session so at the line graceful restart in

show ip bgp neigh x.x.x.x

you should see nothing = not advertised and not received ( not sure they could advertise to be able to act as helper ....)

towards the clustered FW you should see received and may be advertised.

The advertisement from helper is needed in GR so that the GR capable node knows it can ask for a grace period in case of switchover.

 

Hope to help

Giuseppe

0 Helpful

j.a.m.e.s
Level 4
Level 4
In response to Giuseppe Larosa

‎02-09-2021 02:58 AM

Thanks Giuseppe, I will try it and report back.

0 Helpful

j.a.m.e.s
Level 4
Level 4
In response to j.a.m.e.s

‎02-15-2021 05:51 AM

This is what I saw when enabling GR on the Cat9500 and resetting all  the peers:

 

! From single sup switch to peer which is not GR enabled:
cat9500#show ip bgp nei 10.x.x.x | in Grace
    Graceful Restart Capability: advertised
  Graceful-Restart is enabled, restart-time 120 seconds, stalepath-time 360 seconds

That suggests that the cat9500 was advertising itself as GR capable even though it doesn't have the hardware to do that. The peering did work fine after this, but I'm not sure whether it would cause problems under certain failure conditions so I decided to restrict it to the clustered-FW peering instead.

 

Regards

James.

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to j.a.m.e.s

‎02-15-2021 06:04 AM

Hello @j.a.m.e.s ,

thanks for your feedback

>> That suggests that the cat9500 was advertising itself as GR capable even though it doesn't have the hardware to do that. 

Yes, it does not discriminate between helper capable and full GR capable

>>

Graceful Restart Capability: advertised

 I agree with your conservative choice 

>> so I decided to restrict it to the clustered-FW peering instead.

 

Hope to help

Giuseppe

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card