Solved

Two Routers, One link to provider, HSRP + BGP

Posted on 2004-09-13
33
4,833 Views
Last Modified: 2012-08-13
We have two routers running HSRP for redundancy, but need to set up BGP.  How would I go about setting this up?  We have only one link to our ISP.  Searching around I find tons of ways to set this up with multiple ISP or links, but nothing for just one single link.  I really need this solved as fast as possible so Im making it worth a lot of points.
0
Comment
Question by:lyleworthington
  • 15
  • 7
  • 5
  • +3
33 Comments
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
How does the ISP link reach the routers?  Does it plug into a CSU/DSU, an ISP-provided router, or what?  In order for the ISP to decide which router to send traffic to, it needs to be able to get to either even if the other is down....

0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
If you only have one internet connection, why are you running HSRP? Do you have multiple routers conencted to the one that has an internet connection?

Can you post a diagram?

-Don
0
 

Author Comment

by:lyleworthington
Comment Utility
the network looks like this

Our Servers <-> Switch <-> Two Routers <-> Switch <-> uplink to ISP

Basically the ISP link comes into the uplink of the first switch which then directs all traffic to the virtual IP then  passes through our router and into a swith to the rest of our network
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
I think you are going about this wrong.  If redundancy is your main concern, which I assume it is, your ISP's link is going to fail before one of the two routers.  Plus, you have a single point of failure beyond the two routers (the switch to your ISP).  With only one ISP, BGP is really unnecessary.

For optimal redundancy, you should have each router connect to a different ISP and then use BGP to advertise your network to both providers.  I'd suggest only receiving a default route from the ISP's and not the entire Internet routing tables.
0
 

Author Comment

by:lyleworthington
Comment Utility
I understand what you are saying but this just isnt an option for us.  We have only 1 ISP and they are providing only one link for us.  Minimizing the points of failure by providing another router in case one becomes overload (they arent the most powerful routers) is what we are trying to accomplish.  Our ISP requires we run BGP.
0
 
LVL 3

Expert Comment

by:fatlad
Comment Utility
What exactly are you trying to achieve? If it is just redundancy in the routers, why not run HSRP on the Internet side and have seconday defualt gateways on the servers.

This will avoid dealing with BGP, especially since your routers are not very powerful.
0
 

Author Comment

by:lyleworthington
Comment Utility
please read my last comment
0
 

Author Comment

by:lyleworthington
Comment Utility
i will up this to 1000 points... i need someone to help me with this asap!
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Assuming that each router has an ISP assigned IP address on the outside interface and a direct connection to the ISP, then simply enable BGP on both routers, given the information provided by the ISP. I can assume also that they will only give you a default route. You simply do not have the horsepower to run full BGP route tables, given your statement "they arent the most powerful routers".

On the inside, it won't matter how they get their default route. The issue you will have is with your HSRP and the "track" command. You need to track the interface events to determine which router should become primary. However, since both interfaces are Ethernet, connected to a switch between you and the ISP, you probably won't get an interface event. You'll want to look at some other mechanism to know when one router should be primary and what event will trigger a failover.

Have you looked into GLBP?
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541c8.html
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Perhaps I read the question wrong:
>Basically the ISP link comes into the uplink of the first switch which then directs all traffic to the virtual IP
So the HSRP is on the ISP side??

Is it also enabled on the LAN side for the clients?

0
 

Author Comment

by:lyleworthington
Comment Utility
No the HSRP is on our routers.  Basically both interfaces will have a virtual IP and must track each other (im not 100% sure how to do this i think its something like)
standby 1 track fa 0/0
standby 1 track fa 1/0

where fa 0/0 is the external interface and fa 1/0 is the internal interface and both ahve their static and standby virtual ips defined differently.

Is that the correct way to do it?  and if so can i tell bgp to only send updates/keepalives from the virtual external IP that way the backup router wont send updates as well?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The best way to do this is to have both routers participate in BGP and enable some other mechanism to track, or no track at all on the standby. If one router goes bad, the Ethernet port may stay up, therefore the track object won't change, no message to the other router to take over. The only way you will have failover is a total failure of the primary router.
Track serial works well, because typically you will lose a serial connection if a T1 goes down and the other router will take over.

You have HSRP enabled on both sides of your router?

                ISP
                 |
         HSRP Virtual IP
          ____|______        
          |                |
         R1              R2
          |                |
          ------|-------
             HSRP VIP
                  |
                LAN

If you enable BGP between both routers and the ISP, you won't need HSRP on the outside. The only thing left is to find something to track besides the interfaces. That's where I think GLBP would come in handy, because you can track route entries, not interfaces. If your R2 freezes up for whatever reason, and you are tracking route entries, then as soon as the routes drop out, even if the interface is still up (perhaps a switchport malfunction), then R1 becomes primary for all traffic..
0
 
LVL 3

Expert Comment

by:fatlad
Comment Utility
I was thinking about this last night, and I really can not see how you think that configuring a second router in parallel is going to be of benefit to you.

Normally you would have three major single points of failure (SPOF) in a web server design, excluding the servers themselves! These would be: the link to the Internet, the router and the switch between the router and the servers. Obviously at this level we are talking about the failure of a device as a whole, this may be caused be individual components going, PSU, CPU, Interface etc. I am also discounting the use of a media converter from the link media to an Ethernet link as you do not mention one, although this would be another spof if it is used.

The most likely thing in this set up to fail is the line itself, it is made of relatively fragile copper or fibre run under the streets to your ISP. The water company, gas company or one of the umpteen other people who seem to routinely dig up the roads around my office could quite easily run a spade through and cause an outage.

The switch and the router one normally assumes to be relatively stable, as one has chosen a good manufacturer. However, once we have put in redundant links to the Internet these would be the next thing to change. As I said a normal setup with one router and one switch would have two spof (for the hard of thinking the router and the switch!). In your setup we still have two spof, two switches. Failure of one of the device in either configuration would cause a lose of connectivity, so you are no better off.

On top of the number of spof remaining the same you are now proposing to add additional complexity to the configuration of not one but two routers, adding strain to the CPUs, increasing the effort to troubleshoot configurations in the event of a problem and the chances that an error is introduced during setup.

Overall I think you will be in a worse state, an more likely to suffer a significant disruption in service going down this road. You may be better configuring the second router with an identical configuration, and having it as a cold standby.

Just my two penneth worth, if you are determined to do this then see lrmoore’s post above on GLBP, which will achieve what you want to do.

Regards,

FatLad
0
 

Author Comment

by:lyleworthington
Comment Utility
people,

sometimes in life you will end up at your job implementing something that someone else designed.  do i feel this is the ideal way to do this?  no.  do I have a choice?  no.  I have given you all the information.  We MUST use BGP (though we will use just a static route to our provider since our routers arent very powerful)  I MUST set up HSRP and use both of these routers.  I have HSRP running on both interfaces, with one interface tracking the other as well so if one of the interfaces goes down then the router will lower its priority and the backup will take over.  I understand all of the POF and I know there are many better ways to do this, but the fact remains that we have two not very powerful routers running a 100Mbps connection and having two in case one gets overloaded is better than just having one.  I worry much less about the switches because they are good switches, and even less about our ISP line going down as that would not be my fault :)

so please, help me solve this problem.  
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Understood, but HSRP won't help you in this case as it does not load balance.  It sounds like you want both routers forwarding traffic to your ISP to split the work load between the two routers.  This is where GLBP (Gateway Load Balancing Protocol) would come in handy as lrmoore suggested.
0
 

Author Comment

by:lyleworthington
Comment Utility
i dont see the cisco 3600 in the supported platform list on the page for glbp, and also i cant find any of the commands listed (currently have version 12.2(17))  Do I need to get 12.2T?  Are there any security issues involved in updating the IOS to that version?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Checked Cisco's Software Advisor and it doesn't show support for GLBP either.

The only other thing I can think of, and if load balancing is more important to you than redundancy, is using a layer 3 switch in front of the two routers.  The layer 3 switch would become the default gateway for the LAN and it would have two equal cost default routes to the two routers.  You would need to setup static routes for your internal network(s) on the two routers.

Is the switch you are using now layer 3?

0
 

Author Comment

by:lyleworthington
Comment Utility
no its layer 2, but doesnt hsrp handle the case where one router is overloaded and then the other picks up anyways?  or does it only monitor the state of the interface?  if glbp isnt available for our router then we will have to just have the "if one router crashes and dies" redundancy using hsrp.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
HSRP is only for redundancy, if one router dies, the other one takes over the forwarding duties.  Only one router forwards at one time.

According to Cisco's Software Advisor GLBP isn't available for the 3600 series router.
0
 

Author Comment

by:lyleworthington
Comment Utility
ok well then that is what we will have to settle for.  so back to the origional question...

do I just set up each router

router bgp <our as number>
network x.x.x.x mask x.x.x.x
neighbor x.x.x.x <their AS number>
^Z

and then have hsrp track each of the interfaces?
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
More or less, yes.

You will configure the two 3600 routers as iBGP neighbors and eBGP neighbors with the ISP's router.  Make sure you only receive a default route from your ISP.

RouterA:

router bgp <your as number>
neighbor <3600b> remote-as <your as number>
neighbor <ISP router> remote-as <their AS number>
network <your network> mask <your mask>

RouterB:

RouterA:

router bgp <your as number>
neighbor <3600a> remote-as <your as number>
neighbor <ISP router> remote-as <their AS number>
network <your network> mask <your mask>
0
 

Author Comment

by:lyleworthington
Comment Utility
and the hsrp like this:

router A

int f0/0
standby track f0/1
standby preempt
standby priority 105
standby ip x.x.x.x

int f0/1
standby track f0/0
standby preempt
standby priority 105
standby ip x.x.x.x

router B

int f0/0
standby track f0/1
standby preempt
standby priority 100
standby ip x.x.x.x

int f0/1
standby track f0/0
standby preempt
standby priority 100
standby ip x.x.x.x

so that if one of the interfaces of a goes down it and/or the other interface will notice it and reduce the priority by 10 causing the other router to take over correct?  and then when the interface comes back its priority will return and it will preempt...?
0
 

Author Comment

by:lyleworthington
Comment Utility
i tried setting up the iBGP like you said and then sh ip bgp gave me this:

BGP table version is 4, local router ID is x.x.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
* ix.x.0.0/20     x.x.0.2                0    100      0 i
*>                  0.0.0.0                  0         32768 i

the other router the same only with router 2 as the next Hop for the network...  this seems like it would cause a routing loop...  am i wrong?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
GLBP does work with 3640...

C3640(config)#int eth 0/0                        
C3640(config-if)#gl?                    
glbp    

C3640(config-if)#glbp ?                      
  <0-1023>  Group number

C3640(config-if)#glbp 1 authen ?
  md5   MD5 authentication
  text  Plain text authentication

C3640(config-if)#glbp 1 authen text cisco
C3640(config-if)#glbp 1 priority 100
C3640(config-if)#glbp 1 load-balancing
C3640(config-if)#glbp 1 forw
C3640(config-if)#glbp 1 forwarder pre
C3640(config-if)#glbp 1 forwarder preempt del min 60
C3640(config-if)#glbp 1 load-balancing host-dependent
C3640(config-if)#

<etc>

sho ver - Enterprise PLUS IPSEC/FW
System image file is "flash:c3640-jk9o3s-mz.123-8.T.bin"

0
 

Author Comment

by:lyleworthington
Comment Utility
but we dont have 3640s we have 3600s
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
There are three 3600 models: 3620, 3640, 3660

The feature is not plaform dependent, it is IOS version dependent. This is right out of the link I posted above:

Supported Platforms  
Cisco 1700 series, Cisco 2600 series, Cisco 3620, Cisco 3631, Cisco 3640, Cisco 3660
                                                               ^^                               ^^               ^^

I stand by my belief that you do not need HSRP on the ISP-facing interfaces, just the BGP, and
Put HSRP on the LAN-facing interfaces only



0
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
> We MUST use BGP (though we will use just a static route to our provider since our routers arent very powerful)

Well, if all you need to receive is a default route (and you can use a static for that), and you have a virtualized (HSRP) router address facing the ISP, then all your BGP connection needs to do is tell the ISP (and, through that, the Internet) that your internal public addresses lie behind that virtual router address.

router bgp NNNN
 neighbor X
 network a.b.c.d

where NNNN is your AS number, a.b.c.d is your public address block, and X is the IP address and AS number of the ISP's router (they'll need to give you that).  And a filter to keep you from learning any routes they send you:



> I MUST set up HSRP and use both of these routers.  I have HSRP running on both interfaces, with one interface tracking
> the other as well so if one of the interfaces goes down then the router will lower its priority and the backup will take over.  
> I understand all of the POF and I know there are many better ways to do this, but the fact remains that we have two not
> very powerful routers running a 100Mbps connection and having two in case one gets overloaded is better than just having
> one.

Routers drop packets when they're heavily loaded, but rarely fail.  If router A is being hit by traffic which causes it to fail, how long do you thing B can carry that same traffic?  Answer:  It almost certainly can't, and will fail too.  ("Becoming overloaded" is not one of the failure scenarios that HSRP addresses.)

0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 250 total points
Comment Utility
I guess I missed the whole HSRP facing the ISP, I agree with lrmoore, HSRP is unnecessary when running BGP.  HSRP should only be used on the LAN side in this case, let BGP handle the ISP side.
0
 

Author Comment

by:lyleworthington
Comment Utility
we have to have a single ip peer with our ISP.  

here is the setup i got working.
router a:
int 0
 ip x.x.x.2 255.255.x.x
 standby 1 ip x.x.x.1
 standby 1 preempt
 standby 1 priority 105
 standby 1 track int 1

int 1
 ip y.y.y.2 255.255.y.y
 standby 2 ip y.y.y.1
 standby 2 preempt
 standby 2 priority 105
 standby 2 track int 0

router bgp zzzz
 network x.x.x.x mask u.u.u.u
 neighbor n.n.n.n remote-as r

router b
int 0
 ip x.x.x.3 255.255.x.x
 standby 1 ip x.x.x.1
 standby 1 preempt
 stadnby 1 priority 100
 standby 1 track int 1

int 1
 ip y.y.y.3 255.255.y.y
 standby 2 ip y.y.y.1
 standby 2 preempt
 standby 2 priority 100
 standby 2 track int 0

router bgp zzzz
 network x.x.x.x mask u.u.u.u
 neighbor n.n.n.n remote-as r


and this works fine -  i've tested it pretty thouroughly now.  btw the iBGP thing didnt work - it was confusing the router into thinking the next hop for our network was through the standby router.


thoughts?
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Well then why use BGP??? why not just use a single default route?  If I'm missing something, someone please let me know...
0
 
LVL 3

Expert Comment

by:fatlad
Comment Utility
Even though I suggested using HSRP on the outside interface originally it was a replacement to BGP, not as an add on. You do NOT need to have standby configured on the outside interface.
0
 

Author Comment

by:lyleworthington
Comment Utility
because, as i said plenty of times before, this is what our ISP requires.  dont ask me why please, dont question it, its just the way it is...  im sorry that our situation is not ideal but the purpose of all this was to find a solution to my problem not hear everyone tell me how wrong the setup is...
0
 

Author Comment

by:lyleworthington
Comment Utility
well no one really answered my question fully, so i'll split the points between JFrederick29 and lrmoore, thanks everyone who posted here.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now