06-27-2020 09:16 PM
Hello
we have a project to create a network in Data Center to host a few servers and establish BGP connectivity with two different ISPs.
Please see attached diagram
company has public /24 network
we have 3 routers : 2 Cores router connected to ISP and 1 "server" router on the left
The design is to use Core-1 as primary connection only (AS123)
and I have the following questions
1) Can I use OSPF on "inside" to allow failover in case primary connection down ?
2) What IP range to use for OSPF and iBGP (public or private range) ?
3) For security reason - do I use public IPs on servers or use private IPs (NAT)
Thank you
06-27-2020 10:36 PM
1) Can I use OSPF on "inside" to allow failover in case of primary connection down?
BB - yes you can use if you like, you can use BFD and IP SLA to track for failover. make BGP use prefered path AS 123, and if that fails to go to 456
2) What IP range to use for OSPF and BGP (public or private range)?
BB - If you have Public IP you can use ( or anything RFC 1918 IP also do the job)
3) For security reason - do I use public IPs on servers or use private IPs (NAT)
BB - For security reason always suggest to use for Server Private IP range from RF1918 - with NAT.
If this is DC Environment make sure high availability or redundancy is taken care.
here is some reference.
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html
06-29-2020 12:44 AM
Hello eugen.baum@rogers.com ,
about question 1 I would like to add the following:
1) You can use OSPF and you can have the two internet routers generating an OSPF default route that can check the next-hop of the eBGP default route
Router_Internet1
ip prefix-list ONLY-DEF permit 0.0.0.0/0
access-list 11 remark AS 123 eBGP next-hop
access-list 11 permit host A.B.C:D
route-map CHECK-EBGP permit 10
match ip address prefix ONLY-DEF
match ip next-hop 11
set type 1
set metric 50
router ospf 10
default-information originate route-map CHECK-EBGP
Router_Internet2:
ip prefix-list ONLY-DEF permit 0.0.0.0/0
access-list 12 remark AS 123 eBGP next-hop
access-list 12 permit host E.F.G:H
route-map CHECK-EBGP permit 10
match ip address prefix ONLY-DEF
match ip next-hop 12
set type 1
set metric 500
router ospf 10
default-information originate route-map CHECK-EBGP
By checking the next-hop the first internet router will generate a default route in OSPF only until the BGP next-hop for the default route is equal to the expected eBGP next-hop.
For points 2 and 3 using private IP addresses as much as possible is to be preferred for security reasons.
Also consider the use of two internal routers for achieving a better fault tolerance as already suggested.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide