GTM (big-IP) connected to new two router (two ISPs)

shady-magdy · ‎06-29-2025

Hello, kindly i need your support as we connected GTM to discover global DNS from different two ISPs on two router each router have two VRFs, on first Router first VRF the main and second is the backup, on the second router the second VRF is the main and first is the backup ,GTM is working Active, how we configure GTM configuration from the both routers (third VRF or interface on both two VRFs OR something else ?)

Mark Elsen · ‎06-29-2025

- @shady-magdy What router models are you using ?

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

shady-magdy · ‎06-30-2025

8300

shady-magdy · ‎07-02-2025

@Mark Elsen the model of routers we are using 8300

Enes Simnica · ‎07-03-2025

hello G. I have rolled out some similar setups for major clients last year, and funny enough, i learned the hard way that gtm behaves differently when u've got m/ultiple vrfs chewing on the same physical interfaces, then ISPs that swear their bgp is clean (it wasnt LOOL), and fo so security teams who think route leaking is a felony (is it?).

now based on what u shared with us, i would configure this: (so we have 2 isr 83k routers, each one of them has two vrfs, and gtm needs to monitor both isps across vrfs. Also i will use ip addresses and numbers randomly...

1.on both routers:

#Dedicated GTM VRF (avoids routing conflicts)
vrf definiti GTM-MONITOR
rd 65000:500

# ISP1 Int (Router 1 Primary)
int Gig0/0/0.100
vrf forwarding VRF1
ip add 203.0.113.2 255.255.255.252
bfd interval 300 min_rx 300 multiplier 3

! ISP2 Int (Router 2 Primary)
int Gig0/1/0.200
vrf forwarding VRF2
ip add 198.51.100.2 255.255.255.252
bfd interval 300 min_rx 300 multiplier 3

-----

2. Gtm core config/ same on both router:

gtm
vrf GTM-MONITOR
dns policy MULTI-ISP
! Router 1 prefers ISP1, falls back to ISP2
dns-server primary 203.0.113.1 vrf VRF1
dns-server backup 198.51.100.1 vrf VRF2
!
! Router 2 prefers ISP2, falls back to ISP1
dns-server primary 198.51.100.1 vrf VRF2
dns-server backup 203.0.113.1 vrf VRF1
!
probe ISP1-HEALTH
type bfd
target 203.0.113.1 vrf VRF1
!
probe ISP2-HEALTH
type bfd
target 198.51.100.1 vrf VRF2
!
peer 192.168.255.1 vrf GTM-MONITOR ! Router 1's Lo0
peer 192.168.255.2 vrf GTM-MONITOR ! Router 2's Lo0

and at the dns policy placement, maybe i had to bind it to some domaing matcing logic, (if u need that added too, let me know)...

---

3. Required route leaking: allow gtm to reach dhs servers across vrfs- route-map gtm-leak permit lets say 10, and then match ip add prefix-list gtm-dns-...... and use some show commands...

and thats all I can think of regarding this issue for now. If u like me to test it on EVE-NG before going live, just let me know, im happy to run the test..

hope it helps G

-Enes

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

shady-magdy · ‎07-03-2025

Yes please if you would test it, it will be really appreciated thank you in advance.

shady-magdy · ‎07-06-2025

what if we configured gateway of GTM on Switch connected to both routers and then configured sub interface on both VRFs and static Routes ?

Enes Simnica · ‎07-06-2025

Gonna handle this lab later today bro. Catch you in a bit

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

shady-magdy · ‎07-22-2025

??