cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2157
Views
0
Helpful
8
Replies

Bgp with an fwsm

mnieuwendijk
Level 1
Level 1

Hi

Is it possible to use bpg peering to an isp and have an fwsm installed ?

I dont want to use a router running bgp at the outside !

Marc

8 Replies 8

Harold Ritter
Level 12
Level 12

It is certainly possible to do so. A couple of things to note:

1- you need to make sure you configure the eBGP session as multihop.

2- If you authenticate the session, make sure that the FWSM doesn't do randomize the initial sequence number. Otherwise, it would definitely prevent the session from coming up.

For more details, please refer to the following document:

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Hi.

It is not that i want to use bgp trough the firewall, but running bgp at the router where the firwewall is inserted.

A little more information:

I have a isp who has running bgp.

Whe have an catalyst 6500 with an fwsm in it.

For running bgp whe have an external router who is running the bgp, and an internal connection to the 6500/firewall.

I think it is nicer to get rid of the external router.

But how i connect the bgp peering on the firewall, i have to connect the bgp peering on the 6500 becouse the fwsm has no phisical interfaces.

But how do i handle the internal and the external traffic on the same 6500.

Default gaeway is the firewall, but then through an interface at the 6500 through the isp.

So i have on the 6500 2 default gateways !!.

That is the problem.

Any good sugestions ?

Thanks for the additional information.

The FWSM itself doesn't support BGP.

As you mentioned, in order to connect to your SP you need to configure an external port (vlan).

What do you do next?

Do you want to run an multihop eBGP session from the internal network directly to the SP (not recommended).

The recommended approach is to create an external VRF that would run the BGP session to your SP and an internal VRF connected to your corporate network.

You can even run a BGP session between the two VRFs, which would allow you to detect a FW failure and fallover to another exit point in your network.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Hi.

So the best option is have an router in front of the firewall at the outside who is running the bgp session?

But just for my knowledge, is there an configuration example somewere to find on the cisco site ?

How to configure your option with the vrf ?

Thanks.

Marc

I do not necessarily think the best option is to use an external router.

At the contrary, a lot of customers are using the multi vrf approach to avoid having that external box.

The multi vrf configuration would look something like this:

!

ip vrf external

rd 2:1

!

ip vrf internal

rd 2:1

!

interface Vlan 10

description To the corporate network

ip vrf forwarding internal

ip address 192.168.1.1 255.255.255.0

!

interface Vlan 20

description To the FWSM inside interface

ip vrf forwarding internal

ip address 192.168.2.1 255.255.255.0

!

interface Vlan 30

description To the FWSM outside interface

ip vrf forwarding external

ip address 192.168.3.1 255.255.255.0

!

interface Vlan 40

description To the Service Provider

ip vrf forwarding external

ip address 192.168.4.1 255.255.255.0

!

! OSPF originates the default route to the internal network if it is received via BGP

router ospf 100 vrf internal

netw 192.168.1.1 0.0.0.0 area 0

default-information originate

!

router bgp xxx

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf internal

! Internal prefix(es) advertised to the Internet

network x.x.x.x

neighbor 192.168.3.1 remote-as xxx

neighbor 192.168.3.1 activate

no synchronization

! Per address family router-id required since both VRF would use the same RID by default. (See Note 1)

bgp router-id 2.2.2.1

exit-address-family

!

address-family ipv4 vrf external

neighbor 192.168.2.1 remote-as xxx

neighbor 192.168.2.1 activate

neighbor 192.168.2.1 prefix-list default-only out

neighbor 192.168.4.2 remote-as yyy

neighbor 192.168.4.2 activate

no synchronization

! Per address family router-id required since both VRF would use the same RID by default. (See Note 1)

bgp router-id 2.2.2.2

exit-address-family

!

! Static route pointing at the FWSM inside interface address. Required for the iBGP session.

ip route vrf internal 192.168.3.1 255.255.255.255 Vlan20 192.168.2.2

! Static route pointing at the FWSM outside interface address. Required for the iBGP session.

ip route vrf external 192.168.2.1 255.255.255.255 Vlan30 192.168.3.2

!

ip prefix-list default-only description only allow default route

ip prefix-list default-only seq 10 permit 0.0.0.0/0

ip prefix-list default-only seq 20 deny 0.0.0.0/0 le 32

!

Note 1: The per AF RID was introduced in 12.2(33)SRA. Without this command, the BGP peers would determine that the peer RID is equal to the local RID and reject the session.

Alternatively, you can use the hidden command "bgp router-id allow-equal" that was introduced in 12.2(18)SXD1.

Let me know if you have any questions,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

I forgot one thing. By default, only one Switched Virtual Interface (SVI) is allowed between the FWSM and the MSFC. In order to be able to configure more than one VLAN between the FWSM and MSFC, you need to configure the following command on the MSFC:

firewall multiple-vlan-interfaces

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Thanks for the replay.

I will going to test it.

I have allready configured more then 1 vlan between the fwsm and the msfc.

Thanks a lott.

Marc

Hi, I know it's been a long time but seeing config also for FWSM would help.

Thanks.

Review Cisco Networking for a $25 gift card