Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.
Solved
Cisco HSRP / Extended VLAN / BGP questions
Posted on 2009-05-20
I am trying to connect with a vendor from the main site and hot site via the vendor provided Cisco VPN router in each site behind the Cisco ASA 5500 DMZ interface. Both sites have its own Internet T1 and they are MPLS connected in the backend.
The goal is to establish the server 1 (vendor's end) with server 2 (main site); however, during DR, server 1 will be routed to server 3 (hot site). In addition, server 1 can be re-routed back to server 2 via MPLS from the hot site to main site.
The options seem to be using HSRP with Extended VLAN across two sites or BGP. There may be other options that I am not sure. Please advise. We are all Cisco shop.
vendor server 1 = 10.10.10.10
main site server 2 = 172.16.1.10
hot site server 3 = 172.16.2.10
-main site-
vendor VPN router #1 (VR1) = 10.10.1.11
main site ASA firewall DMZ GW / subnet (FW1) = 10.10.1.1 / 24
main site ASA firewall LAN (FW1) = 172.16.1.254
main site MPLS router (MR1) = 172.16.1.1
main site 4600 layer3 switch (SW1) = 172.16.1.15 (VTP = transparent mode)
main site LAN GW / subnet = 172.16.1.15 / 24
-hot site-
vendor VPN router #2 (VR2) = 10.10.2.11
hot site ASA firewall DMZ GW / subnet (FW2) = 10.10.2.1 / 24
hot site ASA firewall LAN (FW2) = 172.16.2.254
hot site MPLS router (MR2) = 172.16.2.1
hot site 3700 layer3 switch (SW2) = 172.16.2.15 (VTP = transparent mode)
hot site LAN GW / subnet = 172.16.2.1 / 24
Please provide steps / show conf.
The goal is to establish the server 1 (vendor's end) with server 2 (main site); however, during DR, server 1 will be routed to server 3 (hot site). In addition, server 1 can be re-routed back to server 2 via MPLS from the hot site to main site.
The options seem to be using HSRP with Extended VLAN across two sites or BGP. There may be other options that I am not sure. Please advise. We are all Cisco shop.
vendor server 1 = 10.10.10.10
main site server 2 = 172.16.1.10
hot site server 3 = 172.16.2.10
-main site-
vendor VPN router #1 (VR1) = 10.10.1.11
main site ASA firewall DMZ GW / subnet (FW1) = 10.10.1.1 / 24
main site ASA firewall LAN (FW1) = 172.16.1.254
main site MPLS router (MR1) = 172.16.1.1
main site 4600 layer3 switch (SW1) = 172.16.1.15 (VTP = transparent mode)
main site LAN GW / subnet = 172.16.1.15 / 24
-hot site-
vendor VPN router #2 (VR2) = 10.10.2.11
hot site ASA firewall DMZ GW / subnet (FW2) = 10.10.2.1 / 24
hot site ASA firewall LAN (FW2) = 172.16.2.254
hot site MPLS router (MR2) = 172.16.2.1
hot site 3700 layer3 switch (SW2) = 172.16.2.15 (VTP = transparent mode)
hot site LAN GW / subnet = 172.16.2.1 / 24
Please provide steps / show conf.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
-
4
9 Comments
HSRP creates a virtual IP address between two devices that sit on the same subnet. This is not what you have. Are you wanting to try and extend layer 2 out to the DR site so that you can have an appropriate failover scenario?
Active 2 days ago
Quori - yes, I want to know if it is possible to extend the VLAN from main site DMZ subnet to hot site DMZ subnet. Besides, I am not sure if HSRP can work in this scenario. If not, I guess I have to look into BGP. Please advise.
This is the same type of scenario we run, except we use a dedicated DS3 line between two locations and two separate ISP's for connectivity, one at each location.
BGP is the routing protocol we use for external advertisements. If you don't have your own AS number, you'll have to use something like BGP confederation from your ISP.
Also, if you set it up right, and include technologies like OER, you can load balance and optimize the outbound traffic specific to each customer (i.e. they'll get assigned the gateway with the best ping time).
BGP is the routing protocol we use for external advertisements. If you don't have your own AS number, you'll have to use something like BGP confederation from your ISP.
Also, if you set it up right, and include technologies like OER, you can load balance and optimize the outbound traffic specific to each customer (i.e. they'll get assigned the gateway with the best ping time).
Here is a snippet of the setup on one of the border routers, with some obvious numbers obscured for security purposes. We are advertising, for this example, 66.1.1.0/24 via BGP. The two border routers (one located at each lab) advertises this number and has OER set up in border mode. Here is a snippet of their setup:
interface Loopback0
ip address 192.168.101.17 255.255.255.252
!
interface FastEthernet0/0
description Verizon LAN
ip address 66.1.1.1 255.255.255.0
no ip redirects
duplex full
!
interface Serial2/0
description VERIZON CIRCUIT
ip address 1.2.3.5 255.255.255.252
ip access-group INBOUND in
encapsulation ppp
load-interval 30
dsu bandwidth 44210
framing c-bit
cablelength 200
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
passive-interface Serial2/0
network 66.1.1.0 0.0.0.255 area 0
default-information originate
!
router bgp 26722
no synchronization
bgp always-compare-med
bgp log-neighbor-changes
bgp deterministic-med
network 66.1.1.0 mask 255.255.255.0
aggregate-address 66.1.1.0 255.255.255.0 summary-only
neighbor iBGP_PEERS peer-group
neighbor iBGP_PEERS remote-as 26722
neighbor iBGP_PEERS update-source Loopback0
neighbor 1.2.3.4 remote-as 701
neighbor 1.2.3.4 route-map Verizon-In in
neighbor 1.2.3.4 route-map Verizon-Out out
neighbor 192.168.101.13 peer-group iBGP_PEERS
neighbor 192.168.101.21 peer-group iBGP_PEERS
neighbor 192.168.101.25 peer-group iBGP_PEERS
default-metric 20
no auto-summary
!
ip sla monitor 1
type echo protocol ipIcmpEcho 1.2.3.4 source-interface Serial2/0
frequency 5
!
ip sla monitor schedule 1 life forever start-time now
track 10 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 1.2.3.4 track 10
key chain OER
key 1
key-string 7 12345678
!
oer border
local Loopback0
active-probe address source interface FastEthernet0/0
master 192.168.101.21 key-chain OER
!
I set up one of the non-border routers to act as the OER master. In OER, you must have a master and then multiple borders. The master controls and monitors all the OER borders to determine the best path. Here is a snippet of the OER master setup:
key chain OER
key 1
key-string 7 12345678
oer master
policy-rules OER_MON
max-range-utilization percent 50
!
border 192.168.101.13 key-chain OER
interface FastEthernet0/0 internal
interface FastEthernet1/0 internal
interface Serial2/1 internal
interface Serial2/0.16 external
!
border 192.168.101.17 key-chain OER
interface Serial2/1 internal
interface FastEthernet1/0 internal
interface FastEthernet0/0 internal
interface Serial2/0 external
!
learn
delay
protocol tcp port 80 dst
protocol tcp port 443 dst
periodic-interval 0
monitor-period 1
prefixes 240
expire after time 60
loss relative 50
mode route control
mode select-exit best
periodic 180
!
interface Loopback0
ip address 192.168.101.17 255.255.255.252
!
interface FastEthernet0/0
description Verizon LAN
ip address 66.1.1.1 255.255.255.0
no ip redirects
duplex full
!
interface Serial2/0
description VERIZON CIRCUIT
ip address 1.2.3.5 255.255.255.252
ip access-group INBOUND in
encapsulation ppp
load-interval 30
dsu bandwidth 44210
framing c-bit
cablelength 200
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
passive-interface Serial2/0
network 66.1.1.0 0.0.0.255 area 0
default-information originate
!
router bgp 26722
no synchronization
bgp always-compare-med
bgp log-neighbor-changes
bgp deterministic-med
network 66.1.1.0 mask 255.255.255.0
aggregate-address 66.1.1.0 255.255.255.0 summary-only
neighbor iBGP_PEERS peer-group
neighbor iBGP_PEERS remote-as 26722
neighbor iBGP_PEERS update-source Loopback0
neighbor 1.2.3.4 remote-as 701
neighbor 1.2.3.4 route-map Verizon-In in
neighbor 1.2.3.4 route-map Verizon-Out out
neighbor 192.168.101.13 peer-group iBGP_PEERS
neighbor 192.168.101.21 peer-group iBGP_PEERS
neighbor 192.168.101.25 peer-group iBGP_PEERS
default-metric 20
no auto-summary
!
ip sla monitor 1
type echo protocol ipIcmpEcho 1.2.3.4 source-interface Serial2/0
frequency 5
!
ip sla monitor schedule 1 life forever start-time now
track 10 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 1.2.3.4 track 10
key chain OER
key 1
key-string 7 12345678
!
oer border
local Loopback0
active-probe address source interface FastEthernet0/0
master 192.168.101.21 key-chain OER
!
I set up one of the non-border routers to act as the OER master. In OER, you must have a master and then multiple borders. The master controls and monitors all the OER borders to determine the best path. Here is a snippet of the OER master setup:
key chain OER
key 1
key-string 7 12345678
oer master
policy-rules OER_MON
max-range-utilization percent 50
!
border 192.168.101.13 key-chain OER
interface FastEthernet0/0 internal
interface FastEthernet1/0 internal
interface Serial2/1 internal
interface Serial2/0.16 external
!
border 192.168.101.17 key-chain OER
interface Serial2/1 internal
interface FastEthernet1/0 internal
interface FastEthernet0/0 internal
interface Serial2/0 external
!
learn
delay
protocol tcp port 80 dst
protocol tcp port 443 dst
periodic-interval 0
monitor-period 1
prefixes 240
expire after time 60
loss relative 50
mode route control
mode select-exit best
periodic 180
!
I want to clarify one thing. You may be wondering why I have a default route in there. The reason for that is because we do not hold the full BGP table on our routers because it requires a lot of memory. Instead, I only keep subnets that are /16 and smaller. Therefore, both border routers advertise a default route so networks not in the BGP table will still exist a border router.
My setup has OER injecting routes as follows:
1) If the customer IP address matches a route in the BGP table, OER will inject a BGP route matching the subnet size. So for example, if I have a customer coming from 44.44.44.44, and there is a BGP route that is 44.44.0.0/16, OER will inject the BGP entry 44.44.0.0/16 to force the direction for the ENTIRE subnet.
2) If the IP address does not match a route in the BGP table, OER will inject a STATIC route with a /24 subnet size. So for example, if I have a customer coming from 55.55.55.55, and there is not a BGP route that matches that address, OER will inject a STATIC route 55.55.55.0/24 to force the direction for that subnet.
3) If multiple customers are from the same subnet, OER will consider all the pings between them before making a decision on which gateway to utilize. Therefore, you must be careful if you change the STATIC subnet size lower than /24, because you might get into a situation where some customers cannot access your site, regardless of which gateway OER chooses.
My setup has OER injecting routes as follows:
1) If the customer IP address matches a route in the BGP table, OER will inject a BGP route matching the subnet size. So for example, if I have a customer coming from 44.44.44.44, and there is a BGP route that is 44.44.0.0/16, OER will inject the BGP entry 44.44.0.0/16 to force the direction for the ENTIRE subnet.
2) If the IP address does not match a route in the BGP table, OER will inject a STATIC route with a /24 subnet size. So for example, if I have a customer coming from 55.55.55.55, and there is not a BGP route that matches that address, OER will inject a STATIC route 55.55.55.0/24 to force the direction for that subnet.
3) If multiple customers are from the same subnet, OER will consider all the pings between them before making a decision on which gateway to utilize. Therefore, you must be careful if you change the STATIC subnet size lower than /24, because you might get into a situation where some customers cannot access your site, regardless of which gateway OER chooses.
Active 2 days ago
Thanks Brain2000. I am working with the ISP to see if we can get the AS number. But BGP seems to be doable in my case. Thanks so much!
By the way, do you know about the VRRP and how it works?
By the way, do you know about the VRRP and how it works?
VRRP and HSRP are both ways to have two routers set up so if one dies, the other one will take over as the gateway. They are generally used on an Ethernet LAN. Say you have 10 servers and one router on a LAN at a datacenter. The router could have a gateway IP address of 192.168.0.1. If that router dies suddenly, 192.168.0.1 is no longer there and you have downtime. Now imagine you decide that you want a backup router to remedy this potential problem. You could add a second router and set up HSRP or VRRP. Then if one router dies, the other one will assume the gateway IP address of 192.168.0.1, and the 10 servers will still continue to be accessible.
Here is a link to someone comparing VRRP/HSRP:
http://www.ciscoblog.com/archives/2006/04/hsrp_vs_vrrp_vs.html
Here is a link to someone comparing VRRP/HSRP:
http://www.ciscoblog.com/archives/2006/04/hsrp_vs_vrrp_vs.html
Featured Post
ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.
One of a set of tools we're offering as a way to say thank you for being a part of the community.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month9 days, 11 hours left to enroll
610 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.