marrj
asked on
Multihomed Site Edge - Design Verification
I need help in verifying the legitimacy of a design for a multihomed Internet-facing site. I have attached a Layer 3 diagram that has four routers with red labels and a fault-tolerant ASA 5515 (two ASAs configured in failover). I have also attached the relevant configuration for each device. I need someone to verify that this design will work as expected.
I plan on having two ISPs that I will advertise my public /24 subnet to. Each ISP will advertise only a default route into my AS. I want to achieve fault tolerance at all levels and avoid routing loops and "black holes". I present two optional sections in the configs that pertain to load balancing. One option is to use the round robin load balancing feature in the ASA to balance between both outbound routes. The other option, mentioned in the edge configs, uses the weighted GLBP load balancing, allowing for weights, simpler ASA operation, and the use of a single, virtual gateway IP. I'm liking this design over the ASA load balancer method. Any opinions on this decision? I also plan on running iBGP between the edge routers.
If it needs more explaining, let me know.
Visio-L3-Diagram.pdf
E1.txt
E2.txt
I1.txt
I2.txt
ASA.txt
I plan on having two ISPs that I will advertise my public /24 subnet to. Each ISP will advertise only a default route into my AS. I want to achieve fault tolerance at all levels and avoid routing loops and "black holes". I present two optional sections in the configs that pertain to load balancing. One option is to use the round robin load balancing feature in the ASA to balance between both outbound routes. The other option, mentioned in the edge configs, uses the weighted GLBP load balancing, allowing for weights, simpler ASA operation, and the use of a single, virtual gateway IP. I'm liking this design over the ASA load balancer method. Any opinions on this decision? I also plan on running iBGP between the edge routers.
If it needs more explaining, let me know.
Visio-L3-Diagram.pdf
E1.txt
E2.txt
I1.txt
I2.txt
ASA.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much, pgstephan. Here are my responses.
1. Ok, I have taken the loopbacks out of the neighborships with the ISP's.
2. I'm really not a huge fan of running NAT from my edge routers. I think I will settle for a active/standby topology. I do like the concept of splitting the /24 into two /25's, but I'm not sure I can sell it to my administration. I like the idea of leveraging BGP prepend, but I'm reading some reports that claim it may not always work, depending on what your ISP will do with BGP path attributes like local pref. What is your opinion on conditional advertisement? https://learningnetwork.cisco.com/docs/DOC-11860 I like the concept, but I'm having trouble wrapping my mind around how it would work with two edge routers.
3. Since I've settled for an active/standby config, I'm more than happy leveraging HSRP with tracking for failover.
4. How would such an access list look?
(Block all traffic to WAN interface except TCP 179)
#access-list 101 permit tcp 11.11.11.2 11.11.11.1 eq 179
#interface gi0/0
#ip access-group 101 in
5. I can handle a default-route-only route map. Could I essentially do the same thing with a prefix list?
(Block all inbound BGP-learned prefixes except default route to avoid RAM overload)
#ip prefix-list only-default seq 5 permit 0.0.0.0/0
#neighbor 11.11.11.2 prefix-list only-default in
6. Do I still need OSPF since I've settled for an active/standby? I'd rather not complicate things if I don't have to.
7. Ok. Makes sense.
8. I think I like the looks of active/standby and simplifying things with HSRP. My main question at this point is how do I keep my prefix from being advertised to the standby ISP.
Once again, thank you very much for your input.
1. Ok, I have taken the loopbacks out of the neighborships with the ISP's.
2. I'm really not a huge fan of running NAT from my edge routers. I think I will settle for a active/standby topology. I do like the concept of splitting the /24 into two /25's, but I'm not sure I can sell it to my administration. I like the idea of leveraging BGP prepend, but I'm reading some reports that claim it may not always work, depending on what your ISP will do with BGP path attributes like local pref. What is your opinion on conditional advertisement? https://learningnetwork.cisco.com/docs/DOC-11860 I like the concept, but I'm having trouble wrapping my mind around how it would work with two edge routers.
3. Since I've settled for an active/standby config, I'm more than happy leveraging HSRP with tracking for failover.
4. How would such an access list look?
(Block all traffic to WAN interface except TCP 179)
#access-list 101 permit tcp 11.11.11.2 11.11.11.1 eq 179
#interface gi0/0
#ip access-group 101 in
5. I can handle a default-route-only route map. Could I essentially do the same thing with a prefix list?
(Block all inbound BGP-learned prefixes except default route to avoid RAM overload)
#ip prefix-list only-default seq 5 permit 0.0.0.0/0
#neighbor 11.11.11.2 prefix-list only-default in
6. Do I still need OSPF since I've settled for an active/standby? I'd rather not complicate things if I don't have to.
7. Ok. Makes sense.
8. I think I like the looks of active/standby and simplifying things with HSRP. My main question at this point is how do I keep my prefix from being advertised to the standby ISP.
Once again, thank you very much for your input.
ASKER
http://www.remiphilippe.fr/2010/04/05/bgp-conditional-advertisement/
What do you thing about this guy's setup for two edge routers?
What do you thing about this guy's setup for two edge routers?
2. You're right AS-Prepend doesn't always work, because it really depends on your upstream providers. Instead of conditional advertisement, what you can also do is advertise to your primary provider 2 /25 blocks and a single /24 block to your secondary provider. That way the /25 will be always preferred over the /25 advertised by the secondary provider.
I had a bit of a read to your link about conditional advertisement, my problem with it is that you will only start advertising the prefix via BGP when you lose your primary connection. That's not quick enough, so I'd prefer the summary way (above).
You can also talk to your secondary carrier, some carriers can apply a certain policy by which when you advertise them a prefix with a specific community, they would only advertise it when they lose receiving your prefix via the primary provider.
4. Here is what you can use:
access-list 101 permit tcp host 11.11.11.2 host 11.11.11.1 eq 179 log
access-list 101 permit tcp host 11.11.11.2 host eq 179 11.11.11.1 log
access-list 101 deny ip any host 11.11.11.1
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.31.255.255 any
access-list 101 permit ip any any
In the first couple of lines in the access-list, apply it for a couple of second and see how the BGP session is flowing then delete the redundant line (reason being is that the BGP session between the 2 neighbors may start from your router or your carrier's) (and delete the log from the line too).
5. Yes
6. No
I had a bit of a read to your link about conditional advertisement, my problem with it is that you will only start advertising the prefix via BGP when you lose your primary connection. That's not quick enough, so I'd prefer the summary way (above).
You can also talk to your secondary carrier, some carriers can apply a certain policy by which when you advertise them a prefix with a specific community, they would only advertise it when they lose receiving your prefix via the primary provider.
4. Here is what you can use:
access-list 101 permit tcp host 11.11.11.2 host 11.11.11.1 eq 179 log
access-list 101 permit tcp host 11.11.11.2 host eq 179 11.11.11.1 log
access-list 101 deny ip any host 11.11.11.1
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.31.255.255 any
access-list 101 permit ip any any
In the first couple of lines in the access-list, apply it for a couple of second and see how the BGP session is flowing then delete the redundant line (reason being is that the BGP session between the 2 neighbors may start from your router or your carrier's) (and delete the log from the line too).
5. Yes
6. No
ASKER
I'm curious now that you mentioned that conditional advertising may not be fast enough. About how long does it take to propagate a prefix with BGP?
I'm going to research BGP communities now.
I'm going to research BGP communities now.
ASKER
I've attached revised configs for both E1 and E2, with changes per your recommendations. I have decided to change from load sharing to active/standby with E1 and ISP1 being the active route. I'm going to ask my ISPs about their use of local pref and BGP communities in their AS. I hope to get by with as-prepend.
Would you mind taking a look at the new configs to make sure I'm still on the right track?
Thank you.
E1.txt
E2.txt
Would you mind taking a look at the new configs to make sure I'm still on the right track?
Thank you.
E1.txt
E2.txt
ASKER