Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
950
Views
0
Helpful
4
Replies

BGP setup for split location routers/firewalls, best practice?

tahscolony
Level 1
Level 1

‎06-01-2016 07:48 AM - edited ‎03-05-2019 04:08 AM

We have two facilities connected via dark fiber, internet out both to the same ISP. Matching hardware at both sites, ASA ad ISR. Currently they are configured to use HSRP, one being primary at all times, the other just standing by in case we lose the internet link, or some other failure. They are talking to each other via iBGP, so dual default routes in the table for fast switchover.  On paper, looks like a good layout, however, we have been going over scenarios of possible failures and discovered an issue.

The router and firewall at the primary location is connected to a switch, which is then uplinked to the core, the other building is directly connected. At some point the primary will be connected directly to the core as well, but that still leaves us with an issue. If the primary loses the core switch, it will lose iBGP, and HSRP communications to the other building. All traffic will then route to the other building through the secondary switch, but the primary router will still be connected to the internet, and so will the firewall. At this point both routers and firewalls will think they are active.

I need a better solution to this so that if primary loses internal connectivity, all routing will failover to the secondary and not advertise through primary.  Do we need to use HSRP for this, or setup all public facing routers and firewalls to use BGP?

The locations are mirrored, identical gear at both sites, except for the WAN switch in the middle at primary site, which is going away at some point. There are a few routers behind the internet router for DMVPN, along with an ASA, soon to be 2 ASA.  They all use static routes to point to the VIP of the Internet HSRP.   How can I set this up to also load balance across both links? If I load balance, would that also resolve the failover issue?

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-01-2016 08:07 AM

The old "split brain" problem.

You can't have redundancy when their is only a single link between the sites.  You need a back link to your dark fibre.

A "cheap" trick I often use is LTVPv3, and build your own backup circuit.  In this case, you could build a GRE over IPSec tunnel between the two routers going over the external Internet circuits (since they are a different circuit to the dark fibre), and run L2TPv3 over that.  You need need an extra spare interface in each router to act as the trunking port.  You can use spanning tree to block the L2TPv3 circuit (when the dark fibre is up), so it only kicks in as a backup.  You can also filter VLANs going across it to only the most important ones needed to prevent a split brain.

Another option is to put in a second dedicated Internet circuit at each site.  Then put in a pair of dedicated routers doing L2TPv3.

0 Helpful

tahscolony
Level 1
Level 1
In response to Philip D'Ath

‎06-20-2016 07:33 AM

I gave this some thought, but we also have two 10GB circuits running to another colo that can route our internal traffic if the DF between sites gets cut. They are on diverse paths and neither run on the same cable that is between our buildings.

So what I need to figure out then, is how to get the public VLAN routed through the 10GB links without compromising the network.  The L2TPv3 is a suggestion, the trick will be, where to configure it.   Just need to be very careful in that we dont introduce a spanning tree loop with L2TPv3. I have run into this problem already doing L2TPv3, we found out that nexus 2K shut down if you plug a router with L2TPv3 configured. :)

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to tahscolony

‎06-20-2016 12:01 PM

If you have a Cisco 3750 or a Cisco 3850 (with super new code) or even a 2960-XR then you could consider running REP (Resilient Ethernet Protocol) between the switches over the L2TPv3 link.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/swrep.html

0 Helpful

tahscolony
Level 1
Level 1
In response to Philip D'Ath

‎06-20-2016 12:28 PM

It just so happens we have a pair of 3850 sitting in a box.  Thanks for the link, we are looking into it, looks like this could resolve an ugly issue.

Wonder if this will work with a pair of Juniper switches in between.

0 Helpful
Customers Also Viewed These Support Documents