Cisco HSRP / Extended VLAN / BGP questions
I am trying to connect with a vendor from the main site and hot site via the vendor provided Cisco VPN router in each site behind the Cisco ASA 5500 DMZ interface. Both sites have its own Internet T1 and they are MPLS connected in the backend.
The goal is to establish the server 1 (vendor's end) with server 2 (main site); however, during DR, server 1 will be routed to server 3 (hot site). In addition, server 1 can be re-routed back to server 2 via MPLS from the hot site to main site.
The options seem to be using HSRP with Extended VLAN across two sites or BGP. There may be other options that I am not sure. Please advise. We are all Cisco shop.
vendor server 1 = 10.10.10.10
main site server 2 = 172.16.1.10
hot site server 3 = 172.16.2.10
-main site-
vendor VPN router #1 (VR1) = 10.10.1.11
main site ASA firewall DMZ GW / subnet (FW1) = 10.10.1.1 / 24
main site ASA firewall LAN (FW1) = 172.16.1.254
main site MPLS router (MR1) = 172.16.1.1
main site 4600 layer3 switch (SW1) = 172.16.1.15 (VTP = transparent mode)
main site LAN GW / subnet = 172.16.1.15 / 24
-hot site-
vendor VPN router #2 (VR2) = 10.10.2.11
hot site ASA firewall DMZ GW / subnet (FW2) = 10.10.2.1 / 24
hot site ASA firewall LAN (FW2) = 172.16.2.254
hot site MPLS router (MR2) = 172.16.2.1
hot site 3700 layer3 switch (SW2) = 172.16.2.15 (VTP = transparent mode)
hot site LAN GW / subnet = 172.16.2.1 / 24
Please provide steps / show conf.
The goal is to establish the server 1 (vendor's end) with server 2 (main site); however, during DR, server 1 will be routed to server 3 (hot site). In addition, server 1 can be re-routed back to server 2 via MPLS from the hot site to main site.
The options seem to be using HSRP with Extended VLAN across two sites or BGP. There may be other options that I am not sure. Please advise. We are all Cisco shop.
vendor server 1 = 10.10.10.10
main site server 2 = 172.16.1.10
hot site server 3 = 172.16.2.10
-main site-
vendor VPN router #1 (VR1) = 10.10.1.11
main site ASA firewall DMZ GW / subnet (FW1) = 10.10.1.1 / 24
main site ASA firewall LAN (FW1) = 172.16.1.254
main site MPLS router (MR1) = 172.16.1.1
main site 4600 layer3 switch (SW1) = 172.16.1.15 (VTP = transparent mode)
main site LAN GW / subnet = 172.16.1.15 / 24
-hot site-
vendor VPN router #2 (VR2) = 10.10.2.11
hot site ASA firewall DMZ GW / subnet (FW2) = 10.10.2.1 / 24
hot site ASA firewall LAN (FW2) = 172.16.2.254
hot site MPLS router (MR2) = 172.16.2.1
hot site 3700 layer3 switch (SW2) = 172.16.2.15 (VTP = transparent mode)
hot site LAN GW / subnet = 172.16.2.1 / 24
Please provide steps / show conf.
HSRP creates a virtual IP address between two devices that sit on the same subnet. This is not what you have. Are you wanting to try and extend layer 2 out to the DR site so that you can have an appropriate failover scenario?
ASKER
Quori - yes, I want to know if it is possible to extend the VLAN from main site DMZ subnet to hot site DMZ subnet. Besides, I am not sure if HSRP can work in this scenario. If not, I guess I have to look into BGP. Please advise.
This is the same type of scenario we run, except we use a dedicated DS3 line between two locations and two separate ISP's for connectivity, one at each location.
BGP is the routing protocol we use for external advertisements. If you don't have your own AS number, you'll have to use something like BGP confederation from your ISP.
Also, if you set it up right, and include technologies like OER, you can load balance and optimize the outbound traffic specific to each customer (i.e. they'll get assigned the gateway with the best ping time).
BGP is the routing protocol we use for external advertisements. If you don't have your own AS number, you'll have to use something like BGP confederation from your ISP.
Also, if you set it up right, and include technologies like OER, you can load balance and optimize the outbound traffic specific to each customer (i.e. they'll get assigned the gateway with the best ping time).
ASKER
Brain2000 - Can you show me the example commands in your scenario?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I want to clarify one thing. You may be wondering why I have a default route in there. The reason for that is because we do not hold the full BGP table on our routers because it requires a lot of memory. Instead, I only keep subnets that are /16 and smaller. Therefore, both border routers advertise a default route so networks not in the BGP table will still exist a border router.
My setup has OER injecting routes as follows:
1) If the customer IP address matches a route in the BGP table, OER will inject a BGP route matching the subnet size. So for example, if I have a customer coming from 44.44.44.44, and there is a BGP route that is 44.44.0.0/16, OER will inject the BGP entry 44.44.0.0/16 to force the direction for the ENTIRE subnet.
2) If the IP address does not match a route in the BGP table, OER will inject a STATIC route with a /24 subnet size. So for example, if I have a customer coming from 55.55.55.55, and there is not a BGP route that matches that address, OER will inject a STATIC route 55.55.55.0/24 to force the direction for that subnet.
3) If multiple customers are from the same subnet, OER will consider all the pings between them before making a decision on which gateway to utilize. Therefore, you must be careful if you change the STATIC subnet size lower than /24, because you might get into a situation where some customers cannot access your site, regardless of which gateway OER chooses.
My setup has OER injecting routes as follows:
1) If the customer IP address matches a route in the BGP table, OER will inject a BGP route matching the subnet size. So for example, if I have a customer coming from 44.44.44.44, and there is a BGP route that is 44.44.0.0/16, OER will inject the BGP entry 44.44.0.0/16 to force the direction for the ENTIRE subnet.
2) If the IP address does not match a route in the BGP table, OER will inject a STATIC route with a /24 subnet size. So for example, if I have a customer coming from 55.55.55.55, and there is not a BGP route that matches that address, OER will inject a STATIC route 55.55.55.0/24 to force the direction for that subnet.
3) If multiple customers are from the same subnet, OER will consider all the pings between them before making a decision on which gateway to utilize. Therefore, you must be careful if you change the STATIC subnet size lower than /24, because you might get into a situation where some customers cannot access your site, regardless of which gateway OER chooses.
ASKER
Thanks Brain2000. I am working with the ISP to see if we can get the AS number. But BGP seems to be doable in my case. Thanks so much!
By the way, do you know about the VRRP and how it works?
By the way, do you know about the VRRP and how it works?
VRRP and HSRP are both ways to have two routers set up so if one dies, the other one will take over as the gateway. They are generally used on an Ethernet LAN. Say you have 10 servers and one router on a LAN at a datacenter. The router could have a gateway IP address of 192.168.0.1. If that router dies suddenly, 192.168.0.1 is no longer there and you have downtime. Now imagine you decide that you want a backup router to remedy this potential problem. You could add a second router and set up HSRP or VRRP. Then if one router dies, the other one will assume the gateway IP address of 192.168.0.1, and the 10 servers will still continue to be accessible.
Here is a link to someone comparing VRRP/HSRP:
http://www.ciscoblog.com/archives/2006/04/hsrp_vs_vrrp_vs.html
Here is a link to someone comparing VRRP/HSRP:
http://www.ciscoblog.com/archives/2006/04/hsrp_vs_vrrp_vs.html
ASKER