Hi Paul, 

Thanks for your input. I have already completed all of the steps above with the exception of the HSRP group and the iBGP peering. 

It seems like your plan is mostly the same as mine but for some reason or consultant (who has much more experience than I) seems to think I am better off having both routers peer to both bgp neighbors and HSRP only kicks in when there is a total router failure. 

Just wondering if anyone else agrees with this? All of the documentation I have found everywhere has each router peering to 1 ISP only.

Wasn't planning on doing the iBGP part. What benefit do I get from that in this scenario? 

Hello

Do you have dual links to each isp?
Have you queried his/her reasoning behind this idea? -

res

Paul

Consultant hasn't given me a valid reason other than it is easier and there is little benefit to do it any other way. I disagree. 

Thanks all for your input. This (WAN Stuff) is all relatively new to me and I appreciate the help. 

Joseph

QOS/mHSRP/OER/PfR - and here was me saying keep it simple :-)

And yes I am just joking, all good questions.

Jon

Jon, even if you weren't joking, I often find more advanced technical solutions simpler than what needs to be done without them.  (Of course, there's is the learning issue!)

For example, ever work with someone who doesn't know how to use a dynamic routing protocol, but they try to do what dynamic routing does with static routing?  I.e. if we just adjust this static metric here, and use HSRP here and use interface tracking here, and . . .  Then, see there's one done, we now only have another 99 routers to configure.  (laugh)

Joseph

I'll rephrase my answer as it didn't really get the point across.

When I talk about simple I am not referring to the technology used but the solution. Your rather extreme example of static routing illustrates this perfectly so we are in no disagreement here.

The OPs original request was to use the second link as a backup and how to do that in relation to BGP which was what my answer was directed to.

I think I just need to remember humour is a tricky thing on forums and stick to the technical stuff :-)

Jon

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Jon,

"I'll rephrase my answer as it didn't really get the point across."

Perhaps true for us both.

"When I talk about simple I am not referring to the technology used but the solution."

Actually, so am I.

With my example of static routing vs. dynamic routing, my point was, dynamic routing might be considered more complex than static routing, technically, yet its additional complexity might actually make the overall solution less complex.

So, likewise, perhaps some additionally technical complexity, e.g. OER, mHSRP, etc., in the technical approach might actually make the overall solution actually simpler.

If that wasn't clear, the fault is mine.

"The OPs original request was to use the second link as a backup and how to do that in relation to BGP which was what my answer was directed to."

I also agree about OP's original request, and there's nothing wrong in directing an answer to the OP's actual question.  Most OP's are looking for just that.

However, I sometimes look to see if something might be suggested that's even more suited to what the OP's problem is.  Sometimes I'm able to suggest an alternative approach that hadn't even been considered.

In this case, I wondered whether both ISPs might be used actively, and whether that had been even considered.  It may have been, but often when working with BGP, it isn't because it's often difficult enough to even use ECMP with BGP let alone unequal cost.

"I think I just need to remember humour is a tricky thing on forums and stick to the technical stuff "

Regarding humour being tricky, I didn't take any offense from anything you wrote, and I hope you haven't taken offense from anything I've written.

Sometimes convening anything, with clarity, is also tricky.

I appreciate your feedback. 

Firewalls will be clustered, switch will be stacked. I just didnt draw that into the topology as it wasnt really part of my question. 

Bandwidth from one ISP is 100mbps The other link is limited to 10mbps. We don't have much choice in providers in this area. 

Worth mentioning the 10mpbs link was adequate but slow for the most part so it's a viable fall back option but useless for load balancing.  

This is all being used with existing hardware with no budget in the near future ( less than one year away)

QoS is something that would be nice to have. I doubt a 2960 running lanbase will have much to offer and I havent really looked into it fully yet. 

Until this post I hadn't heard of mHSRP, OER, or Pfr so I can't even comment on that.  

Like Jon mentioned, it would be ideal to keep this simple as I can't be the only one in the organization that knows how to support it and there isn't a lot of talent pool available if I am no longer here.  Unless these technologies will provide a significant improvement, they probably shouldn't be considered.  

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

"I just didnt draw that into the topology as it wasnt really part of my question."

Indeed, but those of us hoping to help having incomplete information precludes giving the best answer.  Also, having a better understanding of the situation sometimes allows offering a suggestion that might have been totally overlooked.

"Like Jon mentioned, it would be ideal to keep this simple as I can't be the only one in the organization that knows how to support it and there isn't a lot of talent pool available if I am no longer here.  Unless these technologies will provide a significant improvement, they probably shouldn't be considered. "

Well as Jon also noted, he was joking, but "simplicity" and support are important points.

"Simplicity" is somewhat in the eye of the beholder.  I personally like the simplest solution, but the simplest solution that meets all business goals.  Goals can be conflicting.  In your case, perhaps providing the best performance vs. supporting it.  I cannot say which is really more important to your business.  Often support of, or implementation of, unknown technologies can bias the person designing a system.  In such cases, I recommend trying to analyze the impact of new learning, and supporting it, and its advantages to the business, and then presenting that to management and let them decide what they want.  (Personally I don't believe new technologies should be used just because they can be, but only if there's a benefit to the business, and even then, the benefit needs to be compared to cost.)

"Bandwidth from one ISP is 100mbps The other link is limited to 10mbps. We don't have much choice in providers in this area. 

Worth mentioning the 10mpbs link was adequate but slow for the most part so it's a viable fall back option but useless for load balancing."

Ah!  Well the reason I asked, OER/PfR can do dynamic load balancing and can manage and monitor performance across different bandwidth links.  (Once I even used it to control a T3 and T1.)  However, the reason I asked, was if bandwidths are not too far apart, I would initially set traffic 50/50 and let OER/PfR rebalance as needed.  With 100 to 10, I would start with sending everything to the 100 link, and let OER/PfR use the 10 link, if it saw an advantage in doing so.

(BTW, mHSRP is nothing more than HSRP with different virtual IPs per interface.  It would allow your firewall to have a static route to different virtual IPs, allowing static route load balancing.  Yet, if one of your routers failed, the remaining router would pick up the other router's virtual IP.)

The reason I asked about QoS on the switch, if both router's have their own session to each ISP, depending how the firewall sends them traffic, each could send traffic to the same ISP, creating possible congestion on the switch port.

The reason I asked about the switch itself, and firewall links, depending on actual firewall, switch (stack) and router interconnections, different failures will have different impacts which can impact the logical design, i.e. your peering questions.

Anyway, so the firewall is a cluster.  Each unit has a link to a different switch stack member?

Each router only has a single link to the stack?  If so, each router links to different stack member?

Just one link to each WAN provider?  Also each on different stack member?