07-07-2017 03:13 PM - edited 03-05-2019 08:49 AM
Hello all,
Here is the scenario I am working on.
I have multiple physical sites, each with redundant ISPs running BGP. 2 seperate ASs. The sites all have Layer 2 adjacency. I am running ospf for all internal routing. I would like to eliminate 1 ISP at each site and have the other site be it's backup ISP.
What is the proper / best practice to accomplish this?
I have tested a scenario where I have border routers peered with ISP. I then peer the border router with each sites firewall with iBGP. If I get a default route From ISP it is redistributed to the FW. I then run OSPF on the LAN connection of the FW peering with each sites core router. I redistribute the BGP default route only to the LAN via OSPF.
If there is a failure at the FW level, border router, or ISP level the default route disappears and the other sites route appears. Seems to be working as expected in LAB.
Is this the correct method? I have concerns with the FW running BGP and OSPF. Are there security concerns doing this?
Or is there a totally different approach to take? Thanks in advance!
07-08-2017 01:12 PM
Hi
I think that, if properly configured it should work (probably some sort of metric manipulation is required to force firewalls to choose the right path) but in my experience routing protocol between routers and firewalls could bring to problems because:
So, usually I prefer to just use FHRP.
I have border routers peered with ISP. I then peer the border router with each sites firewall with iBGP. If I get a default route From ISP it is redistributed to the FW
Don't forget that you have to properly configure eBGP to make one link primary and the other backup (usually as-prepend is the way)
Bye
enrico
PS: rate if useful
07-08-2017 07:43 PM
Enrico,
I'm not very familiar with FHRP so forgive me. But I need to protect more than just the first, or next hop. The next hop needs to know about the fw status, border router, and ISP.
Can FHRP do this? Or just provide redundancy for the gateway?
Thank you.
07-10-2017 05:36 AM
Hi
Do you have a diagram of the planning?
Thank you in advance.
07-10-2017 08:26 AM
I attached the diagram.
07-10-2017 08:32 AM
Thank you, my understanding is, if the ISP 1 (left) is down the site A should go through site B and then go to the ISP 2 (right), is that correct?
07-10-2017 08:35 AM
That is the goal Julio. And vice versa. Thank you again.
07-10-2017 08:41 AM
Ok perfect, before to study the case and provide the proper config, I would like to know first:
- How the site A and B are getting internet access, the iBGP firewall or router is advertising a default route to each site router or do you have any default static route on each router site A and B?
07-10-2017 09:26 AM
Currently both Sites Core routers have a static route to their sites Firewall. So if the internet is down they just dead end. My plan is to have the Default Route advertised by each ISP then "Handed down" to the next device.
07-10-2017 09:34 AM
Ok perfect, It is already giving me an idea of your topology. Ok please let me provide you a solution. There are many ways other more complex than others.
07-10-2017 02:40 PM
Hi
Below you will find a scheme that I have used before and works perfectly, it is using EEM scripts + IP SLA + Track.
Router 2
Step 1) Create a static route to reach a public IP through the ISP1, do not advertise it into OSPF, so you can add a tag, example:
Google DNS
ip route 8.8.8.8 255.255.255.255 10.12.0.1 name SLA-TEST tag 777
Step 2) Create a SLA to be making ping periodically to the IP address above from a source who is able to go via Internet (any IP with internet access)
ip sla 10
icmp-echo 8.8.8.8 source-interface or source-ip <ip with internet access, it could be a loopback)
frequency 5 <--- each 5 seconds it will pinging the IP 8.8.8.8
Step 3) Enable the IP SLA
ip sla schedule 10 life forever start-time now
Step 4) Create a track
track 10 ip sla 10 reachability
delay down 30 <--- it will generate the message %TRACK-6-STATE: 10 ip sla 10 reachability Up -> Down after 30 seconds without response.
Step 5) Apply the track to the default route
ip route 0.0.0.0 0.0.0.0 10.12.0.1 track 10
Step 6) Create a EEM script to enable an automatic failover once the following message is showed on the router.
event manager applet FAILOVER-INTERNET
event tag prim syslog occurs 1 pattern "%TRACK-6-STATE: 10 ip sla 10 reachability Up -> Down"
trigger
correlate event prim
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 10.12.0.1 track 10"
action 4.0 cli command "ip route 0.0.0.0 0.0.0.0 10.23.0.3 "
action 5.0 cli command "exit"
action 6.0 cli command "write memory"
So once the EEM is trigerred, it will remove the default route and create a new one pointing to the Router 3, the traffic will be moved to Router 3 and then to the firewall to the edge router and finally to the ISP 2.
The same can be implemented on the Router 3.
Hope it is useful
:-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide