Use Static Routes or let iBGP update the best way to get back to the internal network?

jlehman01 · ‎01-05-2017

Quick backstory:

We have two public networks (A and B).
R3 is actually a FirePower 4110 and is NATing for A and B.

R1 and R2 are ASRs running BGP and iBGP.
Network A is a Class C and R3, R2, and R1 are connected on it via a switch.
Network B is a /20 and not used anywhere else for utility, just NATing to this space from R3
I have static routes pointing network B to the outside IP of R3.
I also have static routes pointing network A to the outside IP of R3 but with a higher metric because its directly connected.
I am advertising A and B with BGP.

I wanted to get more experienced people's opinion. Should I use a backup static with a higher metric or just advertise the main static route and let iBGP pick up the best way back?

[[{"type":"media","fid":"1388811","view_mode":"default","attributes":{"alt":"Simple Network","title":"Simple Network","height":"352","width":"607","class":"image-style-none media-element file-default"}}]]

In the picture above the scenario would be a cable failing between SW1 and R1. Traffic is coming in from R4 trying to get to Network B. The static route would say something like 'ip route NETWORK_B MASK_B fa0/0'. When fa0/0 goes down it will pull that static route out. R2 still has a good route to NETWORK_B (because its directly connected) and so it still advertises this in BGP. Then the table on R1 will use BGPs table and route over that iBGP link to R2. Or i can just make a backup static route pointing to R2's interface.

Does anyone have a preference in this situation? Currently i'm using backup static routes with a metric of 10 and don't see an issue but it seems kinda redundant. I know BGP convergence is super slow without BFD (which is the next step, but also don't think it affects this design) so thats why i put in backup static routes.

Philip D'Ath · ‎01-05-2017

I would use iBGP.

You can enable BFD to get the best response. You could also adjust the BGP timers with something like "timers bgp 15 45" to make convergence happen faster (but I would use BFD as my first choice).

jlehman01 · ‎01-05-2017

Philip,

Thanks for the quick reply. I don't want to mess with the BGP timers. I'm trying to stick to a best practices and most efficient config. I think BFD is a good idea. I'll keep this in mind. I just want the simplest config and it seems like letting BGP deal with achieves the same effect with little downtime. It's mainly R1 taking the static route out and using the iBGP route. So i don't even think BFDs would come into play in the scenario its not like the whole BGP process goes down. But i definitely want to add BFD in the near future to help with fast convergence with traffic leaving our network.

Reza Sharifi · ‎01-05-2017

For outgoing traffic, are you using VRRP or HSRP? If you use HSRP on the ASRs, you can simply point your static route on r3 to the VIP of the HSRP and configure tracking for the interface that connects r1 to s1 and r2 to s1. Now if the connection between s1 and r1 is down r2 will become the active HSRP within a 2 or 3 seconds and start forwarding traffic from s1 to r2.

HTH

jlehman01 · ‎01-05-2017

Reza,

Thanks for the quick reply.

I am using HSRP between R1 and R2 but its for outgoing traffic. R3 has a default gateway of the VIP that R1 and R2 are using. R1 is the active. My question is more of when traffic is coming in from an ISP and you are trying to send it to internal hosts pointing back to the firewall do you let BGP figure it out or make a static route? Right now i'm using a static route and advertising that network with BGP but i also made a backup static route using a higher metric incase the link goes down.

Reza Sharifi · ‎01-05-2017

Hi,

I only use BGP between my routers and the providers. Than static only between firewall(s) (in your case r3) and the routers (r1 and r2). It works really well. In this setup, the only thing you need on r3 is a default router point to the VIP.

HTH