Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1547
Views
10
Helpful
1
Replies

BGP Multihoing with Firewall cluster

Padmanaban P
Level 1
Level 1

‎05-19-2016 09:56 PM - edited ‎03-05-2019 04:03 AM

Hi

I got a requirement to configure BGP Multi-homing on Firewall which  is running in cluster (Active-Standby) as there are currently some routing issue running HSRP on CE router (ISP Owned). So customer want us to configure Multi homing on firewalls. Below is how the set up is. Can someone through some light is this is doable and help

Labels:
Preview file
27 KB
0 Helpful
1 Reply 1

Marwan ALshawi
VIP Alumni
VIP Alumni

‎05-20-2016 01:48 AM

Hi 

I am assuming the firewalls support BGP otherwise this is something no need to be discussed 

the first question here why the customer wants to move away from CEs with HSRP at the LAN side what is the main reason ?

do you mean in this approach you will use the Firewalls as the direct peering point with the ISP ( like a CE)? 

I can see these firewalls delayed in active/standby, if there is an issue with BGP/routing at ISP-RTR-1 while the link is still up from the firewall perspective, then: 

- from outbound routing point of view how you will advertise your routes ( via the secondary that is in standby mode! ) normally this is firewall vendor/feature dependant 

- lets assume you can advertise the route, then the inbound traffic will come over ISP-RTR-2 in this case, while the secondary firewall is still in standby mode, and if this node do not have any session state, of it may even will not process traffic while its in standby mode, then typically the traffic will be dropped 

ASA firewall closeting can be a better option in this case, however I highly recommend you to use CE routers to do the BGP  while from the LAN you can do HSRP + IPSLA ntelligence to detect different failure scenarios and to avoid the complexity of having firewalls doing a router job which they are not design for ! 

hope this help 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card