Solved

Cisco HSRP / Extended VLAN / BGP questions

Posted on 2009-05-20
9
1,247 Views
Last Modified: 2012-05-07
I am trying to connect with a vendor from the main site and hot site via the vendor provided Cisco VPN router in each site behind the Cisco ASA 5500 DMZ interface.  Both sites have its own Internet T1 and they are MPLS connected in the backend.  

The goal is to establish the server 1 (vendor's end) with server 2 (main site); however, during DR, server 1 will be routed to server 3 (hot site).  In addition, server 1 can be re-routed back to server 2 via MPLS from the hot site to main site.

The options seem to be using HSRP with Extended VLAN across two sites or BGP.  There may be other options that I am not sure.  Please advise.  We are all Cisco shop.

vendor server 1 = 10.10.10.10
main site server 2 = 172.16.1.10
hot site server 3 = 172.16.2.10

-main site-
vendor VPN router #1 (VR1) = 10.10.1.11
main site ASA firewall DMZ GW / subnet (FW1) = 10.10.1.1 / 24
main site ASA firewall LAN (FW1) = 172.16.1.254
main site MPLS router (MR1) = 172.16.1.1
main site 4600 layer3 switch (SW1) = 172.16.1.15 (VTP = transparent mode)
main site LAN GW / subnet = 172.16.1.15 / 24


-hot site-
vendor VPN router #2 (VR2) = 10.10.2.11
hot site ASA firewall DMZ GW / subnet (FW2) = 10.10.2.1 / 24
hot site ASA firewall LAN (FW2) = 172.16.2.254
hot site MPLS router (MR2) = 172.16.2.1
hot site 3700 layer3 switch (SW2) = 172.16.2.15 (VTP = transparent mode)
hot site LAN GW / subnet = 172.16.2.1 / 24

Please provide steps / show conf.
0
Comment
Question by:vto
  • 4
  • 4
9 Comments
 
LVL 4

Author Comment

by:vto
Comment Utility
Can someone give me an example of the Extended VLAN and/or HSRP?
0
 
LVL 13

Expert Comment

by:Quori
Comment Utility
HSRP creates a virtual IP address between two devices that sit on the same subnet. This is not what you have. Are you wanting to try and extend layer 2 out to the DR site so that you can have an appropriate failover scenario?
0
 
LVL 4

Author Comment

by:vto
Comment Utility
Quori - yes, I want to know if it is possible to extend the VLAN from main site DMZ subnet to hot site DMZ subnet.  Besides, I am not sure if HSRP can work in this scenario.  If not, I guess I have to look into BGP.  Please advise.
0
 
LVL 8

Expert Comment

by:Brain2000
Comment Utility
This is the same type of scenario we run, except we use a dedicated DS3 line between two locations and two separate ISP's for connectivity, one at each location.

BGP is the routing protocol we use for external advertisements.  If you don't have your own AS number, you'll have to use something like BGP confederation from your ISP.

Also, if you set it up right, and include technologies like OER, you can load balance and optimize the outbound traffic specific to each customer (i.e. they'll get assigned the gateway with the best ping time).
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 4

Author Comment

by:vto
Comment Utility
Brain2000 - Can you show me the example commands in your scenario?
0
 
LVL 8

Accepted Solution

by:
Brain2000 earned 500 total points
Comment Utility
Here is a snippet of the setup on one of the border routers, with some obvious numbers obscured for security purposes.  We are advertising, for this example, 66.1.1.0/24 via BGP.  The two border routers (one located at each lab) advertises this number and has OER set up in border mode.  Here is a snippet of their setup:

interface Loopback0
 ip address 192.168.101.17 255.255.255.252
!
interface FastEthernet0/0
 description Verizon LAN
 ip address 66.1.1.1 255.255.255.0
 no ip redirects
 duplex full
!
interface Serial2/0
 description VERIZON CIRCUIT
 ip address 1.2.3.5 255.255.255.252
 ip access-group INBOUND in
 encapsulation ppp
 load-interval 30
 dsu bandwidth 44210
 framing c-bit
 cablelength 200
 serial restart-delay 0
!
router ospf 100
 log-adjacency-changes
 redistribute connected subnets
 redistribute static subnets
 passive-interface Serial2/0
 network 66.1.1.0 0.0.0.255 area 0
 default-information originate
!
router bgp 26722
 no synchronization
 bgp always-compare-med
 bgp log-neighbor-changes
 bgp deterministic-med
 network 66.1.1.0 mask 255.255.255.0
 aggregate-address 66.1.1.0 255.255.255.0 summary-only
 neighbor iBGP_PEERS peer-group
 neighbor iBGP_PEERS remote-as 26722
 neighbor iBGP_PEERS update-source Loopback0
 neighbor 1.2.3.4 remote-as 701
 neighbor 1.2.3.4 route-map Verizon-In in
 neighbor 1.2.3.4 route-map Verizon-Out out
 neighbor 192.168.101.13 peer-group iBGP_PEERS
 neighbor 192.168.101.21 peer-group iBGP_PEERS
 neighbor 192.168.101.25 peer-group iBGP_PEERS
 default-metric 20
 no auto-summary
!
ip sla monitor 1
 type echo protocol ipIcmpEcho 1.2.3.4 source-interface Serial2/0
 frequency 5
!
ip sla monitor schedule 1 life forever start-time now
track 10 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 1.2.3.4 track 10
key chain OER
 key 1
  key-string 7 12345678
!
oer border
 local Loopback0
 active-probe address source interface FastEthernet0/0
 master 192.168.101.21 key-chain OER
!


I set up one of the non-border routers to act as the OER master.  In OER, you must have a master and then multiple borders.  The master controls and monitors all the OER borders to determine the best path.  Here is a snippet of the OER master setup:

key chain OER
 key 1
   key-string 7 12345678
oer master
 policy-rules OER_MON
 max-range-utilization percent 50
 !
 border 192.168.101.13 key-chain OER
  interface FastEthernet0/0 internal
  interface FastEthernet1/0 internal
  interface Serial2/1 internal
  interface Serial2/0.16 external
 !
 border 192.168.101.17 key-chain OER
  interface Serial2/1 internal
  interface FastEthernet1/0 internal
  interface FastEthernet0/0 internal
  interface Serial2/0 external
 !
 learn
  delay
  protocol tcp port 80 dst
  protocol tcp port 443 dst
  periodic-interval 0
  monitor-period 1
  prefixes 240
  expire after time 60
 loss relative 50
 mode route control
 mode select-exit best
 periodic 180
!
0
 
LVL 8

Expert Comment

by:Brain2000
Comment Utility
I want to clarify one thing.  You may be wondering why I have a default route in there.  The reason for that is because we do not hold the full BGP table on our routers because it requires a lot of memory.  Instead, I only keep subnets that are /16 and smaller.  Therefore, both border routers advertise a default route so networks not in the BGP table will still exist a border router.

My setup has OER injecting routes as follows:

1) If the customer IP address matches a route in the BGP table, OER will inject a BGP route matching the subnet size.  So for example, if I have a customer coming from 44.44.44.44, and there is a BGP route that is 44.44.0.0/16, OER will inject the BGP entry 44.44.0.0/16 to force the direction for the ENTIRE subnet.

2) If the IP address does not match a route in the BGP table, OER will inject a STATIC route with a /24 subnet size.  So for example, if I have a customer coming from 55.55.55.55, and there is not a BGP route that matches that address, OER will inject a STATIC route 55.55.55.0/24 to force the direction for that subnet.

3) If multiple customers are from the same subnet, OER will consider all the pings between them before making a decision on which gateway to utilize.  Therefore, you must be careful if you change the STATIC subnet size lower than /24, because you might get into a situation where some customers cannot access your site, regardless of which gateway OER chooses.
0
 
LVL 4

Author Comment

by:vto
Comment Utility
Thanks Brain2000.  I am working with the ISP to see if we can get the AS number.  But BGP seems to be doable in my case.  Thanks so much!

By the way, do you know about the VRRP and how it works?
0
 
LVL 8

Expert Comment

by:Brain2000
Comment Utility
VRRP and HSRP are both ways to have two routers set up so if one dies, the other one will take over as the gateway.  They are generally used on an Ethernet LAN.  Say you have 10 servers and one router on a LAN at a datacenter.  The router could have a gateway IP address of 192.168.0.1.  If that router dies suddenly, 192.168.0.1 is no longer there and you have downtime.  Now imagine you decide that you want a backup router to remedy this potential problem.  You could add a second router and set up HSRP or VRRP.  Then if one router dies, the other one will assume the gateway IP address of 192.168.0.1, and the 10 servers will still continue to be accessible.

Here is a link to someone comparing VRRP/HSRP:
http://www.ciscoblog.com/archives/2006/04/hsrp_vs_vrrp_vs.html
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now