Solved

Advertising the same static route via BGP on active / standby  HSRP devices: Problem?

Posted on 2010-08-26
5
914 Views
Last Modified: 2012-05-10
I have 2 6509s as in an HSRP pair (SW1 and SW2). They are iBGP peers and each has a connection to a pair of firewalls (FW1 and FW2). Only one firewall is active. I want to create a static route on SW1 and SW2 that points to the firewall to get to a certain network. And I want to redistribute that static route.

Currently, both SW1 and SW2 have static routes configured, but they are not redistributed. So I am going to redistribute the single static route using a route-map.

I am relatively new to BGP and I can't get my head around what is going to happen when I configure this. Assuming FW1 is active  then the connection between FW2 and SW2 is dead, and this would mean that the static route would not be redistributed by the "standby" SW2. I don't have an easy way to lab this up. Can someone provide some insight?

Thanks,
Steve
0
Comment
Question by:SteveJ
  • 3
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
bjove earned 500 total points
ID: 33538069
First you have to configure BGP. It is independent of the HSRP configuration toward the firewalls. Just enter static route for the network you want to announce with BGP on SW1 and SW2, and configure BGP. You should now have your network announced and default network learned from your ISPs.
Then configure HSRP on the network towards FWs. Enter default route on the FW pointing to virtual IP of the HSRP group.
Keep in mind that SW2 is "standby" only towards PIX, not towards ISP.
0
 
LVL 16

Author Comment

by:SteveJ
ID: 33538603
bjove,

Thanks for your comments. Actually, this isn't an internet facing pair of 6509s, this is part of a very large complex network. THe active / standby HSRP config that I mentioned ONLY has to do with this particular firewall. (There are appx 30 HSRP configs on this 6509). Also BGP is already configured and SW1 and SW2 are iBGP peers. My concern is configuring a static route on the standby HSRP for this particular subnet. I don't know the BGP behavior for redistributing a static route to an iBGP peer. I am looking for a very specific kind of answer because I don't have the time or luxury (this is a HA site and through circumstance there's no way to lab test this.) to do any testing. I will simply have to configure it and see what happens. Im not very comfortable with that. And it's a pair (FW1 and FW2) of Juniper SSG 520m, actually, not a pix.

Thanks,
Steve
0
 
LVL 4

Expert Comment

by:bjove
ID: 33539845
You can read in the atached document that this is recomended solution. See 'Single Site Multi Homing' Chapter. 4.
Data-Center-Networking.pdf
0
 
LVL 16

Author Closing Comment

by:SteveJ
ID: 33649530
Thanks for your comments. I was asking specifically what will happen when an active / passive HSRP pair both announce  (or if they would both announce) a static route. That question wasn't really answered, however, the link provided some food for thought.

Thanks. Hope you aren't offended by a B
0
 
LVL 4

Expert Comment

by:bjove
ID: 33649932
I'm glad if I helped. About concerns with HSRP – HSRP is important only for outbound traffic (from FW towards SW1 & SW2). For incoming traffic (SW1 & SW2 to PIX) it will be forwarded to PIX by the SW that received the traffic, no matter which SW is Active. So, if SW1 is Active, and both (SW1 and SW2) announce static route toward FW, then if SW2 receive some incoming traffic it will forward it to the FW.
0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now