cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

238
Views
0
Helpful
4
Replies
Enthusiast

Using BGP as an Alternate Path to a failed Circuit's Subnet

Hi All,

I have an international hub-and-spoke VPN-based network consisting of 164 branches and a data center with two ISP circuits in the US. Presently I have no automated redundancy. The two ISP circuits live on different firewalls, but connect to the same 6509 core switch. The way I have it set up presently is all of North, Central and South America all VPN into ISP #1 connected to firewall #1, and all of EMEA/APAC VPN into ISP #2 connected to firewall #2. The 6509 core switch then has static routes to the subnets of the branches, pointing to whichever firewall the VPN is built on for a given branch. The firewalls then have the mandatory default route out to each respective public gateway. The downside to this, of course, is that if one of the ISP's goes down, half of the my sites go with it, because there is no automatic redundancy to fail the sites over, since all of this is static.

My VP came to me this morning. He wants to use BGP to fix this, but the way he understands it working is not a way that I've ever understood BGP to work. His understanding is that you can have one firewall, with both ISP lines connected into it, and set up a trust between ISP 1 and ISP 2 and eBGP peer to both of them from your ASN to their ASN. Then, when ISP 1 fails, ISP 2 will take over in such a way that is NOT traditional active/standby circuit failover, but is rather that ISP 2 will provide the transport routing via it's own transport path back to ISP 1's IP subnet, even though ISP 1 has failed. 

The end result would be that although ISP #1 is unreachable over it's own ISP's transport infrastructure for whatever outage related reason, BGP would change paths to provide connectivity to ISP 1's subnet, but over my ISP 2's transport infrastructure, and that would mean that all of the branch ASA's static IPSec VPN configs (peer IP address) would never need to change to ISP 2's address when ISP 1 is technically down.  Has anyone ever heard of this?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Guru

Re: Using BGP as an Alternate Path to a failed Circuit's Subnet

 

To answer your specific question, I think the VP is just talking about advertising ISP1's address range to ISP2 so if ISP1 goes down traffic can route to you via ISP2 although bear in mind ISPs are not always willing to do this. 

 

The whole thing is a lot easier if you own the addressing yourself so you can then advertise the same IPs to both ISPs. 

 

By the way putting both ISPs onto the same firewall creates a single point of failure. 

 

Jon

View solution in original post

4 REPLIES 4
Highlighted

Re: Using BGP as an Alternate Path to a failed Circuit's Subnet

Hi Dean,

 

I have a couple of questions:-

1) Is your VPN DMVPN? If yes, do you consider configuring multiple hubs on each spoke?

2) Do you have your own public IP address block? If yes, how do you advertise your public IP address block to each ISP?

 

HTH,

Meheretab

VIP Advocate

Re: Using BGP as an Alternate Path to a failed Circuit's Subnet

Hi,

I hope you are using DMVPN for your site connectivity. Then you can configure DUAL HUB, DUAL CLOUD DMVPN design and here is the guide: https://networklessons.com/uncategorized/dmvpn-dual-hub-dual-cloud

 

Here is a Video to explain of BGP design: https://www.youtube.com/watch?v=kCVMkMym9MY

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Hall of Fame Guru

Re: Using BGP as an Alternate Path to a failed Circuit's Subnet

 

To answer your specific question, I think the VP is just talking about advertising ISP1's address range to ISP2 so if ISP1 goes down traffic can route to you via ISP2 although bear in mind ISPs are not always willing to do this. 

 

The whole thing is a lot easier if you own the addressing yourself so you can then advertise the same IPs to both ISPs. 

 

By the way putting both ISPs onto the same firewall creates a single point of failure. 

 

Jon

View solution in original post

Enthusiast

Re: Using BGP as an Alternate Path to a failed Circuit's Subnet

Thank you Jon.  This is correct.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here