Hi.

It is not that i want to use bgp trough the firewall, but running bgp at the router where the firwewall is inserted.

A little more information:

I have a isp who has running bgp.

Whe have an catalyst 6500 with an fwsm in it.

For running bgp whe have an external router who is running the bgp, and an internal connection to the 6500/firewall.

I think it is nicer to get rid of the external router.

But how i connect the bgp peering on the firewall, i have to connect the bgp peering on the 6500 becouse the fwsm has no phisical interfaces.

But how do i handle the internal and the external traffic on the same 6500.

Default gaeway is the firewall, but then through an interface at the 6500 through the isp.

So i have on the 6500 2 default gateways !!.

That is the problem.

Any good sugestions ?

Thanks for the additional information.

The FWSM itself doesn't support BGP.

As you mentioned, in order to connect to your SP you need to configure an external port (vlan).

What do you do next?

Do you want to run an multihop eBGP session from the internal network directly to the SP (not recommended).

The recommended approach is to create an external VRF that would run the BGP session to your SP and an internal VRF connected to your corporate network.

You can even run a BGP session between the two VRFs, which would allow you to detect a FW failure and fallover to another exit point in your network.

Hope this helps,

Hi.

So the best option is have an router in front of the firewall at the outside who is running the bgp session?

But just for my knowledge, is there an configuration example somewere to find on the cisco site ?

How to configure your option with the vrf ?

Thanks.

Marc

I do not necessarily think the best option is to use an external router.

At the contrary, a lot of customers are using the multi vrf approach to avoid having that external box.

The multi vrf configuration would look something like this:

!

ip vrf external

rd 2:1

!

ip vrf internal

rd 2:1

!

interface Vlan 10

description To the corporate network

ip vrf forwarding internal

ip address 192.168.1.1 255.255.255.0

!

interface Vlan 20

description To the FWSM inside interface

ip vrf forwarding internal

ip address 192.168.2.1 255.255.255.0

!

interface Vlan 30

description To the FWSM outside interface

ip vrf forwarding external

ip address 192.168.3.1 255.255.255.0

!

interface Vlan 40

description To the Service Provider

ip vrf forwarding external

ip address 192.168.4.1 255.255.255.0

!

! OSPF originates the default route to the internal network if it is received via BGP

router ospf 100 vrf internal

netw 192.168.1.1 0.0.0.0 area 0

default-information originate

!

router bgp xxx

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf internal

! Internal prefix(es) advertised to the Internet

network x.x.x.x

neighbor 192.168.3.1 remote-as xxx

neighbor 192.168.3.1 activate

no synchronization

! Per address family router-id required since both VRF would use the same RID by default. (See Note 1)

bgp router-id 2.2.2.1

exit-address-family

!

address-family ipv4 vrf external

neighbor 192.168.2.1 remote-as xxx

neighbor 192.168.2.1 activate

neighbor 192.168.2.1 prefix-list default-only out

neighbor 192.168.4.2 remote-as yyy

neighbor 192.168.4.2 activate

no synchronization

! Per address family router-id required since both VRF would use the same RID by default. (See Note 1)

bgp router-id 2.2.2.2

exit-address-family

!

! Static route pointing at the FWSM inside interface address. Required for the iBGP session.

ip route vrf internal 192.168.3.1 255.255.255.255 Vlan20 192.168.2.2

! Static route pointing at the FWSM outside interface address. Required for the iBGP session.

ip route vrf external 192.168.2.1 255.255.255.255 Vlan30 192.168.3.2

!

ip prefix-list default-only description only allow default route

ip prefix-list default-only seq 10 permit 0.0.0.0/0

ip prefix-list default-only seq 20 deny 0.0.0.0/0 le 32

!

Note 1: The per AF RID was introduced in 12.2(33)SRA. Without this command, the BGP peers would determine that the peer RID is equal to the local RID and reject the session.

Alternatively, you can use the hidden command "bgp router-id allow-equal" that was introduced in 12.2(18)SXD1.

Let me know if you have any questions,

I forgot one thing. By default, only one Switched Virtual Interface (SVI) is allowed between the FWSM and the MSFC. In order to be able to configure more than one VLAN between the FWSM and MSFC, you need to configure the following command on the MSFC:

firewall multiple-vlan-interfaces

Hope this helps,

Thanks for the replay.

I will going to test it.

I have allready configured more then 1 vlan between the fwsm and the msfc.

Thanks a lott.

Marc

Hi, I know it's been a long time but seeing config also for FWSM would help.

Thanks.