cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6345
Views
5
Helpful
3
Replies

Router BGP HSRP with Failover Configuration

tom.neteng
Level 1
Level 1

I'm looking for config validation and any improvements or recommendations for the following scenario:

 

2x Internet Routers running HSRP each are connected to a different provider, receiving default routes.

 

One will be the primary active and the other the standby, not in regular use at this time.

 

I am only concerned with the ability to have a single firewall failure or single ISP failure not take down the site.

 

R2

track 1 ip route 0.0.0.0 0.0.0.0 reachability
!
track 2 ip sla 2 reachability
!
!
interface GigabitEthernet0/0/0
description Primary Internet Link
ip address 1.1.1.1 255.255.255.252
ip access-group dos_protect in
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/1
description Link to FW
ip address 1.2.4.6 255.255.255.240
standby 1 ip 1.2.4.7
standby 1 priority 110
standby 1 preempt
standby 1 track 1 decrement 20
standby 1 track 2 decrement 20
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/2
ip address 172.16.1.2 255.255.255.248
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.10.10.2 255.255.255.0
negotiation auto
!
!
router bgp 100
bgp log-neighbor-changes
neighbor 172.16.1.1 remote-as 100
neighbor 172.16.1.1 description R1 BGP Peer
neighbor 172.16.1.1 weight 20000
no sync
!
router bgp 8675309
bgp log-neighbor-changes
network 1.2.4.8 mask 255.255.255.240
aggregate-address 1.2.4.0 255.255.255.0
neighbor 1.1.1.2 remote-as 9035768
neighbor 1.1.1.2 description ISP1 Peer
neighbor 1.1.1.2 weight 40000
neighbor 1.1.1.2 prefix-list default_only in
neighbor 1.1.1.2 prefix-list outbound_bgp out


ip bgp-community new-format
!
ip access-list extended dos_protect
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
permit ip any any
!
!
ip prefix-list default_only seq 5 permit 0.0.0.0/0
!
ip prefix-list outbound_bgp seq 5 permit 1.2.4.0/24
ip sla 2
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
ip sla schedule 2 life forever start-time now
access-list 50 permit 10.1.1.22
!
route-map prepend permit 10
set as-path prepend 8675309 8675309 8675309 8675309 8675309
!

 

R1

track 1 ip route 0.0.0.0 0.0.0.0 reachability
!
track 2 ip sla 2 reachability
!
!
interface GigabitEthernet0/0/0
description Secondary Internet Link
ip address 2.1.1.1 255.255.255.252
ip access-group dos_protect in
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/1
description Link to FW
ip address 1.2.4.5 255.255.255.240
standby 1 ip 1.2.4.7
standby 1 preempt
standby 1 track 1 decrement 20
standby 1 track 2 decrement 20
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/2
ip address 172.16.1.1 255.255.255.248
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.10.10.2 255.255.255.0
negotiation auto
!
!
router bgp 100
bgp log-neighbor-changes
neighbor 172.16.1.2 remote-as 100
neighbor 172.16.1.2 next-hop-self
neighbor 172.16.1.2 description R2 BGP Peer
neighbor 172.16.1.2 weight 40000
no sync
!
router bgp 8675309
bgp log-neighbor-changes
network 1.2.4.8 mask 255.255.255.240
aggregate-address 1.2.4.0 255.255.255.0
neighbor 2.1.1.2 remote-as 2121555
neighbor 2.1.1.2 description ISP1 Peer
neighbor 2.1.1.2 weight 40000
neighbor 2.1.1.2 prefix-list default_only in
neighbor 2.1.1.2 prefix-list outbound_bgp out
!
ip bgp-community new-format
!
ip access-list extended dos_protect
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
permit ip any any
!
!
ip prefix-list default_only seq 5 permit 0.0.0.0/0
!
ip prefix-list outbound_bgp seq 5 permit 1.2.4.0/24
ip sla 2
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
ip sla schedule 2 life forever start-time now
!
route-map prepend permit 10
set as-path prepend 8675309 8675309 8675309 8675309 8675309 8675309 8675309 8675309 8675309 8675309
!

 

1 Accepted Solution

Accepted Solutions

Rich Uline
Level 1
Level 1

Tom,

 

Here is what I would do:

- Remove the HSRP standby tracking from both routers

R1:
int gi0/0/1
 no standby 1 track 1 decrement 20
 no standby 1 track 2 decrement 20
R2:
int gi0/0/1
 no standby 1 preempt
 no standby 1 track 1 decrement 20
 no standby 1 track 2 decrement 20

- Remove the SLAs from both routers

no ip sla 2
no track 1
no track 2

- Remove AS 100 from both routers

no router bgp 100

+ Add R2 as a peer under the Jenny AS in R1

router bgp 8675309
 nieghbor 172.16.1.2 remote-as 8675309
 nieghbor 172.16.1.2 next-hop-self

+ Add R1 as a peer under the Jenny AS in R2

router bgp 8675309
 nieghbor 172.16.1.1 remote-as 8675309
 nieghbor 172.16.1.1 next-hop-self

Expected behavior:

R1 and R2 will both install the default route from their respective ISP eBGP peers. They will each advertise their default route to each other, but it will not be installed due to the eBGP route being preferred over the iBGP route. When R1's eBGP peer drops, it will install the default route from R2. Conversely, when R2's eBGP peer drops, it will install the default route from R1. Because we have this routing failover connection between the gi0/0/2 interfaces of R1 and R2, we don't need HSRP tracking at all.

View solution in original post

3 Replies 3

Rich Uline
Level 1
Level 1

Tom,

 

Here is what I would do:

- Remove the HSRP standby tracking from both routers

R1:
int gi0/0/1
 no standby 1 track 1 decrement 20
 no standby 1 track 2 decrement 20
R2:
int gi0/0/1
 no standby 1 preempt
 no standby 1 track 1 decrement 20
 no standby 1 track 2 decrement 20

- Remove the SLAs from both routers

no ip sla 2
no track 1
no track 2

- Remove AS 100 from both routers

no router bgp 100

+ Add R2 as a peer under the Jenny AS in R1

router bgp 8675309
 nieghbor 172.16.1.2 remote-as 8675309
 nieghbor 172.16.1.2 next-hop-self

+ Add R1 as a peer under the Jenny AS in R2

router bgp 8675309
 nieghbor 172.16.1.1 remote-as 8675309
 nieghbor 172.16.1.1 next-hop-self

Expected behavior:

R1 and R2 will both install the default route from their respective ISP eBGP peers. They will each advertise their default route to each other, but it will not be installed due to the eBGP route being preferred over the iBGP route. When R1's eBGP peer drops, it will install the default route from R2. Conversely, when R2's eBGP peer drops, it will install the default route from R1. Because we have this routing failover connection between the gi0/0/2 interfaces of R1 and R2, we don't need HSRP tracking at all.

Thanks.

 

What if, now, the client decided that they want to upgrade the ISRs with more RAM to accept full Internet routing tables and be able to take the best path and use PBR to prefer certain providers for certain traffic?

 

Tom

Tom,

The basic configuration should not change if you were to upgrade the routers. To accept the full internet routing table you would simply remove the inbound prefix filter, and your policy based routing implementation would depend on the specific requirements.

Review Cisco Networking for a $25 gift card