Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1590
Views
0
Helpful
12
Replies

BGP on Cisco Firewall Cluster

Network Pro
Level 1
Level 1

‎03-20-2018 05:25 AM - edited ‎03-07-2019 12:22 AM

Hello

 

Scenario - I have two ISP's terminating on Cisco Firewalls (Active/Passive) - is it possible to run BGP between the two ISP's and the pair of Cisco Firewall (failover mode) - I am not how the iBGP will work between them as they both share the same LAN address right?

Labels:
0 Helpful
12 Replies 12

Julio E. Moisa
VIP
VIP

‎03-20-2018 05:32 AM

Hi

If your firewalls support BGP you could configure eBGP peerings with the ISP, they will have different AS. I think you want to do something like:

https://supportforums.cisco.com/t5/wan-routing-and-switching/bgp-multihoing-with-firewall-cluster/td-p/2877188

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Network Pro
Level 1
Level 1
In response to Julio E. Moisa

‎03-20-2018 06:01 AM

Thanks for the quick reply - so i would not require iBGP peering since its a cluster, right?
0 Helpful

Julio E. Moisa
VIP
VIP
In response to Network Pro

‎03-20-2018 06:06 AM

You are welcome, 

That is correct, basically the cluster is seen as one firewall, the backup firewall has the same configuration like the primary.

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-20-2018 05:34 AM - edited ‎03-20-2018 05:38 AM

Hi, 

If you will configure the ASA in Active-passive mode, then the Passive firewall will not give you the option to configure any BGP or link address (only HA links). The passive firewall will synchronize active firewall configuration. 

Only you have to think about how to configure BGP with Both ISP and make transit area. 

This link will helpful :

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/23675-27.html

 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Network Pro
Level 1
Level 1
In response to Deepak Kumar

‎03-20-2018 06:35 AM

hi

 

wouldnt i be able to configure both links on Primary Firewall? because its a cluster if primary dies wont secondary box take over?

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to Network Pro

‎03-20-2018 07:13 AM

Hi, 

Your network design will be like:

 

ISP 1 ---->                    -----ISP1------>     Active Firewall   ------->LAN (Inside)

                                     -----ISP2------->

                   Switch L2 

                                    ------ISP1------>       Passive Firewall -----> LAN (Inside>

ISP 2 ---->                 -----ISP2------->

 

 

If any of ISP or Firewall will down.. another device will take over.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Julio E. Moisa
VIP
VIP
In response to Deepak Kumar

‎03-20-2018 07:21 AM

That is correct, each firewall must have connection with each ISP, now the suggestion is use VLANs between the ISP and the Firewalls through the L2 switch displayed by Deepak, it will provide scalability to your infrastructure. 

 

For example:

               SWITCH

ISP 1 --- VLAN 10 --- Firewall 1

ISP 2 --- VLAN 20 --- Firewall 1

 

ISP 1 --- VLAN 10 --- Firewall 2

ISP 2 --- VLAN 20 --- Firewall 2

 

I suggest have 2 switches or a stack of switches to avoid point of failures.

 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Network Pro
Level 1
Level 1
In response to Deepak Kumar

‎03-20-2018 07:24 AM

Yes correct this is what i was thinking too

 

are you saying this wwill work right? any issues of this? only thing is that there will be NO iBGP peer, correct?

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to Network Pro

‎03-20-2018 07:29 AM - edited ‎03-20-2018 07:32 AM

Yes, You correct no iBGP peer between firewalls.

 

Some other suggestions for L2 switch as

Disable the CDP/LLDP

Enable Spanning tree portfast (on ports which are connected to firewalls and ISP)

 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Julio E. Moisa
VIP
VIP
In response to Network Pro

‎03-20-2018 07:33 AM - edited ‎03-20-2018 07:50 AM

The Cluster will be seen as one firewall running 1 BGP only. Something like:

 

               ISP1

             /

firewall
firewall 

             \  

                ISP2

 

But each firewall will have 2 peerings one to each ISP through the VLANs created. 

 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Network Pro
Level 1
Level 1
In response to Julio E. Moisa

‎03-20-2018 08:58 AM

Yep Thanks everyone

0 Helpful

Julio E. Moisa
VIP
VIP
In response to Network Pro

‎03-20-2018 08:58 AM

You are welcome

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card