cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2744
Views
0
Helpful
7
Replies

Configuring ASA HA and BGP question

jeffkim.cisco
Level 1
Level 1

Please see the attachment for the diagram. I am sorry for the horrible drawing.

Question

1. CS1 is learning/getting a default route from ASR2. Shouldn't the default route the next-hop which is ASA1? There is a recursive routing on CS1. To get to ASR2, it forwards traffic to ASA1.

Can't I just create a static default route to ASA?

2. What would be reason that running iBGP between ASR routers and CS1/2 switches?

3. This is the config from ASR1. 

route-map AS500:IN permit 10

  match as-path 1

  set local-preference 100

  set weight 200

router-map AS500:IN permit 20

  match as-path 2

  set local-preference 100

  set weight 200

ip as-path access-list 1 permit ^500$

ip as-path access-list 1 permit ^500_[0-9]+$$

ip as-path access-list 2 permit .*

router bgp 1000

  neighbor 209.133.1.1 remote-as 500 <-- This is ISP

  neighbor 209.133.1.1 route-map AS500:IN in

routes learned by AS# 500 set local-pref 100 and weight 200.

routes learned by all, set local-pref 100 and weight 200.

What is the point of doing this????

4. I am trying to make two ASA and a HA pari.

Can you recommend me the things that I need to look out for?

Thank you

2 Accepted Solutions

Accepted Solutions

Hi 

You're right about path selection but my point is your routing seems not configured correctly. Maybe with some configuration we can help. 

Yes not having asa participating in BGP can work. You can have IGP (static or dynamic) and BGP over it. 

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Hi 

Yes this possible to announce same subnet from 2 bgp peers. 

However, to control there routing path you need to take care which one will be preferred. 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

7 Replies 7

Francesco Molino
VIP Alumni
VIP Alumni

Hi

To answer all your questions:

1. I can't answer why CS1 is getting default-route from ASR2 instead of ASR1. This depends on your routing configuration. Now on CS1, if we assume that best path for internet is ASR2, the next hop should be ISP2 IP in the interconnection subnet between ISP router and ASR2 (could you paste the output of your BGP table?). If you want CS1 to get ASA as next hop, you need to use next-hop-self to allow iBGP to change the next-hop, otherwise, by default, iBGP preserve the next-hop information of a route coming from eBGP. Hope my explanation is clear enough :-)

As you're using dynamic routing (BGP) I don't recommend using static route.

2. Based on output of config you attached on question 3, you're setting local-preference attributes. This attribute is kept within the same AS (iBGP). The other reason is also the path selection (attributes used to make the decision, as-path prepend,...) difference and how the protocol works between iBGP and eBGP. Also, in addition to that the loop prevention is different between iBGP and eBGP.

3. Based on the output given, all routes received on ASR1 will have a weight of 200 and local-preference of 100. Weight is Cisco proprietary attributes and used on the local device itself, it's not propagated on other BGP peers. Local-pref is spread over all iBGP peers to make a decision for a specific route. The value setup on your config (local-pref 100) is the default value. In your case (based just on this small output), weight attribute is enough to say ASR1 to choose its eBGP peer for all routes. no need to do a route-map as you have. Maybe the minding behind is different but I can't say as I just see this small part of your config.

4. There is no issue doing BGP with ASA HA (active/standby and/or active/active). In an active/standby, only the active device will mount a BGP peering and get BGP table. BGP reconvergence with the standby when it become active, take around 210 seconds. This value can be shown by using the command show route failover to see all timers.

Hope that answers all your question clearly.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Molino,

1. Both ASR routers injecting a default route. But, for some reason CS1 took a default route from ASR2. 

When CS1 tries to reach 8.8.8.8, the default route is pointing to ASR2. To get to ASR2, there is a static route. That static route is pointing to ASA1. 

On ASA1, the static default route is ASR1.

On ASR1, it is learning 500,000 routings from ISP. And it is eBGP.

So ASR1 sends 8.8.8.8 to its ISP rather than ASR2 because it is iBGP. eBGP admin distance is 20 and iBGP is 200.

Interesting situation...and I dont know it is set up this way.....

4. ASAs are not participating BGP at this moment. 

They are independent firewall. I am trying to make them HA pair. I don't want them to participate in BGP. I want to leave it as it is just make it HA.

Can this be done?

Is there anything that I need to watch out for?

Thank you

Hi 

You're right about path selection but my point is your routing seems not configured correctly. Maybe with some configuration we can help. 

Yes not having asa participating in BGP can work. You can have IGP (static or dynamic) and BGP over it. 

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thank you very much.

You're welcome but without config or outputs i can't help you and point where is your issue


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Molino,

Can CS1 and CS2 advertise same subnet?

For example 20.0.1.0/24 if 20.0.1.1 is connected to CS1 and 20.0.1.100 is connected to CS2.

So both CS1 and CS 2 advertise

router bgp 500

 network 20.0.1.0 255.255.255.0

Is this possible?

Hi 

Yes this possible to announce same subnet from 2 bgp peers. 

However, to control there routing path you need to take care which one will be preferred. 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card