Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Advertising the same static route via BGP on active / standby  HSRP devices: Problem?

Posted on 2010-08-26
5
Medium Priority
?
971 Views
Last Modified: 2012-05-10
I have 2 6509s as in an HSRP pair (SW1 and SW2). They are iBGP peers and each has a connection to a pair of firewalls (FW1 and FW2). Only one firewall is active. I want to create a static route on SW1 and SW2 that points to the firewall to get to a certain network. And I want to redistribute that static route.

Currently, both SW1 and SW2 have static routes configured, but they are not redistributed. So I am going to redistribute the single static route using a route-map.

I am relatively new to BGP and I can't get my head around what is going to happen when I configure this. Assuming FW1 is active  then the connection between FW2 and SW2 is dead, and this would mean that the static route would not be redistributed by the "standby" SW2. I don't have an easy way to lab this up. Can someone provide some insight?

Thanks,
Steve
0
Comment
Question by:SteveJ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
bjove earned 1500 total points
ID: 33538069
First you have to configure BGP. It is independent of the HSRP configuration toward the firewalls. Just enter static route for the network you want to announce with BGP on SW1 and SW2, and configure BGP. You should now have your network announced and default network learned from your ISPs.
Then configure HSRP on the network towards FWs. Enter default route on the FW pointing to virtual IP of the HSRP group.
Keep in mind that SW2 is "standby" only towards PIX, not towards ISP.
0
 
LVL 16

Author Comment

by:SteveJ
ID: 33538603
bjove,

Thanks for your comments. Actually, this isn't an internet facing pair of 6509s, this is part of a very large complex network. THe active / standby HSRP config that I mentioned ONLY has to do with this particular firewall. (There are appx 30 HSRP configs on this 6509). Also BGP is already configured and SW1 and SW2 are iBGP peers. My concern is configuring a static route on the standby HSRP for this particular subnet. I don't know the BGP behavior for redistributing a static route to an iBGP peer. I am looking for a very specific kind of answer because I don't have the time or luxury (this is a HA site and through circumstance there's no way to lab test this.) to do any testing. I will simply have to configure it and see what happens. Im not very comfortable with that. And it's a pair (FW1 and FW2) of Juniper SSG 520m, actually, not a pix.

Thanks,
Steve
0
 
LVL 4

Expert Comment

by:bjove
ID: 33539845
You can read in the atached document that this is recomended solution. See 'Single Site Multi Homing' Chapter. 4.
Data-Center-Networking.pdf
0
 
LVL 16

Author Closing Comment

by:SteveJ
ID: 33649530
Thanks for your comments. I was asking specifically what will happen when an active / passive HSRP pair both announce  (or if they would both announce) a static route. That question wasn't really answered, however, the link provided some food for thought.

Thanks. Hope you aren't offended by a B
0
 
LVL 4

Expert Comment

by:bjove
ID: 33649932
I'm glad if I helped. About concerns with HSRP – HSRP is important only for outbound traffic (from FW towards SW1 & SW2). For incoming traffic (SW1 & SW2 to PIX) it will be forwarded to PIX by the SW that received the traffic, no matter which SW is Active. So, if SW1 is Active, and both (SW1 and SW2) announce static route toward FW, then if SW2 receive some incoming traffic it will forward it to the FW.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Make the most of your online learning experience.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question