Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.
Course Of The Month
7 days, 19 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Cisco HSRP / Extended VLAN / BGP questions
Posted on 2009-05-20
I am trying to connect with a vendor from the main site and hot site via the vendor provided Cisco VPN router in each site behind the Cisco ASA 5500 DMZ interface. Both sites have its own Internet T1 and they are MPLS connected in the backend.
The goal is to establish the server 1 (vendor's end) with server 2 (main site); however, during DR, server 1 will be routed to server 3 (hot site). In addition, server 1 can be re-routed back to server 2 via MPLS from the hot site to main site.
The options seem to be using HSRP with Extended VLAN across two sites or BGP. There may be other options that I am not sure. Please advise. We are all Cisco shop.
vendor server 1 = 10.10.10.10
main site server 2 = 172.16.1.10
hot site server 3 = 172.16.2.10
-main site-
vendor VPN router #1 (VR1) = 10.10.1.11
main site ASA firewall DMZ GW / subnet (FW1) = 10.10.1.1 / 24
main site ASA firewall LAN (FW1) = 172.16.1.254
main site MPLS router (MR1) = 172.16.1.1
main site 4600 layer3 switch (SW1) = 172.16.1.15 (VTP = transparent mode)
main site LAN GW / subnet = 172.16.1.15 / 24
-hot site-
vendor VPN router #2 (VR2) = 10.10.2.11
hot site ASA firewall DMZ GW / subnet (FW2) = 10.10.2.1 / 24
hot site ASA firewall LAN (FW2) = 172.16.2.254
hot site MPLS router (MR2) = 172.16.2.1
hot site 3700 layer3 switch (SW2) = 172.16.2.15 (VTP = transparent mode)
hot site LAN GW / subnet = 172.16.2.1 / 24
Please provide steps / show conf.
The goal is to establish the server 1 (vendor's end) with server 2 (main site); however, during DR, server 1 will be routed to server 3 (hot site). In addition, server 1 can be re-routed back to server 2 via MPLS from the hot site to main site.
The options seem to be using HSRP with Extended VLAN across two sites or BGP. There may be other options that I am not sure. Please advise. We are all Cisco shop.
vendor server 1 = 10.10.10.10
main site server 2 = 172.16.1.10
hot site server 3 = 172.16.2.10
-main site-
vendor VPN router #1 (VR1) = 10.10.1.11
main site ASA firewall DMZ GW / subnet (FW1) = 10.10.1.1 / 24
main site ASA firewall LAN (FW1) = 172.16.1.254
main site MPLS router (MR1) = 172.16.1.1
main site 4600 layer3 switch (SW1) = 172.16.1.15 (VTP = transparent mode)
main site LAN GW / subnet = 172.16.1.15 / 24
-hot site-
vendor VPN router #2 (VR2) = 10.10.2.11
hot site ASA firewall DMZ GW / subnet (FW2) = 10.10.2.1 / 24
hot site ASA firewall LAN (FW2) = 172.16.2.254
hot site MPLS router (MR2) = 172.16.2.1
hot site 3700 layer3 switch (SW2) = 172.16.2.15 (VTP = transparent mode)
hot site LAN GW / subnet = 172.16.2.1 / 24
Please provide steps / show conf.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
-
4
9 Comments
HSRP creates a virtual IP address between two devices that sit on the same subnet. This is not what you have. Are you wanting to try and extend layer 2 out to the DR site so that you can have an appropriate failover scenario?
Quori - yes, I want to know if it is possible to extend the VLAN from main site DMZ subnet to hot site DMZ subnet. Besides, I am not sure if HSRP can work in this scenario. If not, I guess I have to look into BGP. Please advise.
This is the same type of scenario we run, except we use a dedicated DS3 line between two locations and two separate ISP's for connectivity, one at each location.
BGP is the routing protocol we use for external advertisements. If you don't have your own AS number, you'll have to use something like BGP confederation from your ISP.
Also, if you set it up right, and include technologies like OER, you can load balance and optimize the outbound traffic specific to each customer (i.e. they'll get assigned the gateway with the best ping time).
BGP is the routing protocol we use for external advertisements. If you don't have your own AS number, you'll have to use something like BGP confederation from your ISP.
Also, if you set it up right, and include technologies like OER, you can load balance and optimize the outbound traffic specific to each customer (i.e. they'll get assigned the gateway with the best ping time).
Here is a snippet of the setup on one of the border routers, with some obvious numbers obscured for security purposes. We are advertising, for this example, 66.1.1.0/24 via BGP. The two border routers (one located at each lab) advertises this number and has OER set up in border mode. Here is a snippet of their setup:
interface Loopback0
ip address 192.168.101.17 255.255.255.252
!
interface FastEthernet0/0
description Verizon LAN
ip address 66.1.1.1 255.255.255.0
no ip redirects
duplex full
!
interface Serial2/0
description VERIZON CIRCUIT
ip address 1.2.3.5 255.255.255.252
ip access-group INBOUND in
encapsulation ppp
load-interval 30
dsu bandwidth 44210
framing c-bit
cablelength 200
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
passive-interface Serial2/0
network 66.1.1.0 0.0.0.255 area 0
default-information originate
!
router bgp 26722
no synchronization
bgp always-compare-med
bgp log-neighbor-changes
bgp deterministic-med
network 66.1.1.0 mask 255.255.255.0
aggregate-address 66.1.1.0 255.255.255.0 summary-only
neighbor iBGP_PEERS peer-group
neighbor iBGP_PEERS remote-as 26722
neighbor iBGP_PEERS update-source Loopback0
neighbor 1.2.3.4 remote-as 701
neighbor 1.2.3.4 route-map Verizon-In in
neighbor 1.2.3.4 route-map Verizon-Out out
neighbor 192.168.101.13 peer-group iBGP_PEERS
neighbor 192.168.101.21 peer-group iBGP_PEERS
neighbor 192.168.101.25 peer-group iBGP_PEERS
default-metric 20
no auto-summary
!
ip sla monitor 1
type echo protocol ipIcmpEcho 1.2.3.4 source-interface Serial2/0
frequency 5
!
ip sla monitor schedule 1 life forever start-time now
track 10 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 1.2.3.4 track 10
key chain OER
key 1
key-string 7 12345678
!
oer border
local Loopback0
active-probe address source interface FastEthernet0/0
master 192.168.101.21 key-chain OER
!
I set up one of the non-border routers to act as the OER master. In OER, you must have a master and then multiple borders. The master controls and monitors all the OER borders to determine the best path. Here is a snippet of the OER master setup:
key chain OER
key 1
key-string 7 12345678
oer master
policy-rules OER_MON
max-range-utilization percent 50
!
border 192.168.101.13 key-chain OER
interface FastEthernet0/0 internal
interface FastEthernet1/0 internal
interface Serial2/1 internal
interface Serial2/0.16 external
!
border 192.168.101.17 key-chain OER
interface Serial2/1 internal
interface FastEthernet1/0 internal
interface FastEthernet0/0 internal
interface Serial2/0 external
!
learn
delay
protocol tcp port 80 dst
protocol tcp port 443 dst
periodic-interval 0
monitor-period 1
prefixes 240
expire after time 60
loss relative 50
mode route control
mode select-exit best
periodic 180
!
interface Loopback0
ip address 192.168.101.17 255.255.255.252
!
interface FastEthernet0/0
description Verizon LAN
ip address 66.1.1.1 255.255.255.0
no ip redirects
duplex full
!
interface Serial2/0
description VERIZON CIRCUIT
ip address 1.2.3.5 255.255.255.252
ip access-group INBOUND in
encapsulation ppp
load-interval 30
dsu bandwidth 44210
framing c-bit
cablelength 200
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
passive-interface Serial2/0
network 66.1.1.0 0.0.0.255 area 0
default-information originate
!
router bgp 26722
no synchronization
bgp always-compare-med
bgp log-neighbor-changes
bgp deterministic-med
network 66.1.1.0 mask 255.255.255.0
aggregate-address 66.1.1.0 255.255.255.0 summary-only
neighbor iBGP_PEERS peer-group
neighbor iBGP_PEERS remote-as 26722
neighbor iBGP_PEERS update-source Loopback0
neighbor 1.2.3.4 remote-as 701
neighbor 1.2.3.4 route-map Verizon-In in
neighbor 1.2.3.4 route-map Verizon-Out out
neighbor 192.168.101.13 peer-group iBGP_PEERS
neighbor 192.168.101.21 peer-group iBGP_PEERS
neighbor 192.168.101.25 peer-group iBGP_PEERS
default-metric 20
no auto-summary
!
ip sla monitor 1
type echo protocol ipIcmpEcho 1.2.3.4 source-interface Serial2/0
frequency 5
!
ip sla monitor schedule 1 life forever start-time now
track 10 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 1.2.3.4 track 10
key chain OER
key 1
key-string 7 12345678
!
oer border
local Loopback0
active-probe address source interface FastEthernet0/0
master 192.168.101.21 key-chain OER
!
I set up one of the non-border routers to act as the OER master. In OER, you must have a master and then multiple borders. The master controls and monitors all the OER borders to determine the best path. Here is a snippet of the OER master setup:
key chain OER
key 1
key-string 7 12345678
oer master
policy-rules OER_MON
max-range-utilization percent 50
!
border 192.168.101.13 key-chain OER
interface FastEthernet0/0 internal
interface FastEthernet1/0 internal
interface Serial2/1 internal
interface Serial2/0.16 external
!
border 192.168.101.17 key-chain OER
interface Serial2/1 internal
interface FastEthernet1/0 internal
interface FastEthernet0/0 internal
interface Serial2/0 external
!
learn
delay
protocol tcp port 80 dst
protocol tcp port 443 dst
periodic-interval 0
monitor-period 1
prefixes 240
expire after time 60
loss relative 50
mode route control
mode select-exit best
periodic 180
!
I want to clarify one thing. You may be wondering why I have a default route in there. The reason for that is because we do not hold the full BGP table on our routers because it requires a lot of memory. Instead, I only keep subnets that are /16 and smaller. Therefore, both border routers advertise a default route so networks not in the BGP table will still exist a border router.
My setup has OER injecting routes as follows:
1) If the customer IP address matches a route in the BGP table, OER will inject a BGP route matching the subnet size. So for example, if I have a customer coming from 44.44.44.44, and there is a BGP route that is 44.44.0.0/16, OER will inject the BGP entry 44.44.0.0/16 to force the direction for the ENTIRE subnet.
2) If the IP address does not match a route in the BGP table, OER will inject a STATIC route with a /24 subnet size. So for example, if I have a customer coming from 55.55.55.55, and there is not a BGP route that matches that address, OER will inject a STATIC route 55.55.55.0/24 to force the direction for that subnet.
3) If multiple customers are from the same subnet, OER will consider all the pings between them before making a decision on which gateway to utilize. Therefore, you must be careful if you change the STATIC subnet size lower than /24, because you might get into a situation where some customers cannot access your site, regardless of which gateway OER chooses.
My setup has OER injecting routes as follows:
1) If the customer IP address matches a route in the BGP table, OER will inject a BGP route matching the subnet size. So for example, if I have a customer coming from 44.44.44.44, and there is a BGP route that is 44.44.0.0/16, OER will inject the BGP entry 44.44.0.0/16 to force the direction for the ENTIRE subnet.
2) If the IP address does not match a route in the BGP table, OER will inject a STATIC route with a /24 subnet size. So for example, if I have a customer coming from 55.55.55.55, and there is not a BGP route that matches that address, OER will inject a STATIC route 55.55.55.0/24 to force the direction for that subnet.
3) If multiple customers are from the same subnet, OER will consider all the pings between them before making a decision on which gateway to utilize. Therefore, you must be careful if you change the STATIC subnet size lower than /24, because you might get into a situation where some customers cannot access your site, regardless of which gateway OER chooses.
Thanks Brain2000. I am working with the ISP to see if we can get the AS number. But BGP seems to be doable in my case. Thanks so much!
By the way, do you know about the VRRP and how it works?
By the way, do you know about the VRRP and how it works?
VRRP and HSRP are both ways to have two routers set up so if one dies, the other one will take over as the gateway. They are generally used on an Ethernet LAN. Say you have 10 servers and one router on a LAN at a datacenter. The router could have a gateway IP address of 192.168.0.1. If that router dies suddenly, 192.168.0.1 is no longer there and you have downtime. Now imagine you decide that you want a backup router to remedy this potential problem. You could add a second router and set up HSRP or VRRP. Then if one router dies, the other one will assume the gateway IP address of 192.168.0.1, and the 10 servers will still continue to be accessible.
Here is a link to someone comparing VRRP/HSRP:
http://www.ciscoblog.com/archives/2006/04/hsrp_vs_vrrp_vs.html
Here is a link to someone comparing VRRP/HSRP:
http://www.ciscoblog.com/archives/2006/04/hsrp_vs_vrrp_vs.html
Featured Post
Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!
Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!
Act now. This offer ends July 14, 2017.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components
Â
RegionsAvailability ZonesEdge LocationsÂ
Wh…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month7 days, 19 hours left to enroll
728 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.