10-04-2019 12:12 PM - edited 10-04-2019 12:17 PM
Hi All,
I have an international hub-and-spoke VPN-based network consisting of 164 branches and a data center with two ISP circuits in the US. Presently I have no automated redundancy. The two ISP circuits live on different firewalls, but connect to the same 6509 core switch. The way I have it set up presently is all of North, Central and South America all VPN into ISP #1 connected to firewall #1, and all of EMEA/APAC VPN into ISP #2 connected to firewall #2. The 6509 core switch then has static routes to the subnets of the branches, pointing to whichever firewall the VPN is built on for a given branch. The firewalls then have the mandatory default route out to each respective public gateway. The downside to this, of course, is that if one of the ISP's goes down, half of the my sites go with it, because there is no automatic redundancy to fail the sites over, since all of this is static.
My VP came to me this morning. He wants to use BGP to fix this, but the way he understands it working is not a way that I've ever understood BGP to work. His understanding is that you can have one firewall, with both ISP lines connected into it, and set up a trust between ISP 1 and ISP 2 and eBGP peer to both of them from your ASN to their ASN. Then, when ISP 1 fails, ISP 2 will take over in such a way that is NOT traditional active/standby circuit failover, but is rather that ISP 2 will provide the transport routing via it's own transport path back to ISP 1's IP subnet, even though ISP 1 has failed.
The end result would be that although ISP #1 is unreachable over it's own ISP's transport infrastructure for whatever outage related reason, BGP would change paths to provide connectivity to ISP 1's subnet, but over my ISP 2's transport infrastructure, and that would mean that all of the branch ASA's static IPSec VPN configs (peer IP address) would never need to change to ISP 2's address when ISP 1 is technically down. Has anyone ever heard of this?
Solved! Go to Solution.
10-05-2019 08:55 AM
To answer your specific question, I think the VP is just talking about advertising ISP1's address range to ISP2 so if ISP1 goes down traffic can route to you via ISP2 although bear in mind ISPs are not always willing to do this.
The whole thing is a lot easier if you own the addressing yourself so you can then advertise the same IPs to both ISPs.
By the way putting both ISPs onto the same firewall creates a single point of failure.
Jon
10-04-2019 04:04 PM
Hi Dean,
I have a couple of questions:-
1) Is your VPN DMVPN? If yes, do you consider configuring multiple hubs on each spoke?
2) Do you have your own public IP address block? If yes, how do you advertise your public IP address block to each ISP?
HTH,
Meheretab
10-05-2019 02:32 AM
Hi,
I hope you are using DMVPN for your site connectivity. Then you can configure DUAL HUB, DUAL CLOUD DMVPN design and here is the guide: https://networklessons.com/uncategorized/dmvpn-dual-hub-dual-cloud
Here is a Video to explain of BGP design: https://www.youtube.com/watch?v=kCVMkMym9MY
10-05-2019 08:55 AM
To answer your specific question, I think the VP is just talking about advertising ISP1's address range to ISP2 so if ISP1 goes down traffic can route to you via ISP2 although bear in mind ISPs are not always willing to do this.
The whole thing is a lot easier if you own the addressing yourself so you can then advertise the same IPs to both ISPs.
By the way putting both ISPs onto the same firewall creates a single point of failure.
Jon
10-07-2019 05:32 AM
Thank you Jon. This is correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide