Hi

Padmanaban P · ‎05-19-2016

Hi

I got a requirement to configure BGP Multi-homing on Firewall which is running in cluster (Active-Standby) as there are currently some routing issue running HSRP on CE router (ISP Owned). So customer want us to configure Multi homing on firewalls. Below is how the set up is. Can someone through some light is this is doable and help

Marwan ALshawi · ‎05-20-2016

Hi

I am assuming the firewalls support BGP otherwise this is something no need to be discussed

the first question here why the customer wants to move away from CEs with HSRP at the LAN side what is the main reason ?

do you mean in this approach you will use the Firewalls as the direct peering point with the ISP ( like a CE)?

I can see these firewalls delayed in active/standby, if there is an issue with BGP/routing at ISP-RTR-1 while the link is still up from the firewall perspective, then:

- from outbound routing point of view how you will advertise your routes ( via the secondary that is in standby mode! ) normally this is firewall vendor/feature dependant

- lets assume you can advertise the route, then the inbound traffic will come over ISP-RTR-2 in this case, while the secondary firewall is still in standby mode, and if this node do not have any session state, of it may even will not process traffic while its in standby mode, then typically the traffic will be dropped

ASA firewall closeting can be a better option in this case, however I highly recommend you to use CE routers to do the BGP while from the LAN you can do HSRP + IPSLA ntelligence to detect different failure scenarios and to avoid the complexity of having firewalls doing a router job which they are not design for !

hope this help

BGP Multihoing with Firewall cluster