Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
537
Views
4
Helpful
1
Replies

BGP with HSRP and IOS Firewall

ldjones488
Level 1
Level 1

ā€Ž10-04-2011 03:45 AM - edited ā€Ž03-04-2019 01:49 PM

Hi Guys,

This is my first post here but after much "googling" around I couldnt find any satisfactory answer for my problem. Let me just give you a quick overview of whats going on here.

We have two routers running HSRP on the LAN side of them. This is fine and works great. Now the problem rises on the WAN side when the two ISP bgp routers have full mesh with ours and can send traffic back to any router.

Let me give you a scenario, Server A goes to the internet via our customer router 1 and gets inspected by the sub-interfaces outbound CBAC rule. The traffic goes off and does its business and then eventually comes back to one of the ISP routers. In turn this traffic is passed back to the our customer router 2 for instance. As this router has a directly connected interface for the same subnet the traffic tries to be delivered but is denied as the CBAC table is like "ok who are you!!". Just for referenced we are running OSPF between the two customer routers and redirecribute all the sub-interfaces of the LAN.

Now this is just a scenario as the ISP actually forces traffic to go to router 1 by default. I am worried about automatic failure workarounds if there were ever an issue. Is there a way I can overcome this? I have thought of using unumbered interfaces for the HSRP but this is a no go. I have thought about syncing the two routers inspection tables but the minimum is 10 second refresh I believe.

Does any one have any other input on how traffic returning to router two can be either processed through the local interface or routed to router 1.

Your help is much appriciated.

Regards

Lee

Labels:
0 Helpful
1 Reply 1

milan.kulik
Level 10
Level 10

ā€Ž10-04-2011 04:37 AM

Hi,

what about trying to make the ISP to prefer your primary router?

You could send the BGP updates from your secondary router with a worse MED attribute or with your AS number prepended several times towards the ISP, e.g.

You would need your HSRP to track  the ISP router(s) reachability on your primary router then, e.g., to decrease HSRP priority in a case it loses connectivity to the ISP router(s). But it's possible to configure.

So in a case of connectivity failure between your primary router and the ISP router(s):

a) The HSRP priority on your primary router would decrease, so the secondary rputer would become Active in HSRP  (i.e., it would start to receive the traffic from the LAN).

b) The ISP would not receive BGP prefixes from your primary router anymore, so it would have to start using the prefixes advertised from your secondary router (with worse BGP attributes).

So finally traffic in both directions would take your secondary router.

When your primary router connection to the ISP router(s) would get recovered, the traffic would return to your primary router automatically.

HTH,

Milan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card