Solved

Advertising the same static route via BGP on active / standby  HSRP devices: Problem?

Posted on 2010-08-26
5
899 Views
Last Modified: 2012-05-10
I have 2 6509s as in an HSRP pair (SW1 and SW2). They are iBGP peers and each has a connection to a pair of firewalls (FW1 and FW2). Only one firewall is active. I want to create a static route on SW1 and SW2 that points to the firewall to get to a certain network. And I want to redistribute that static route.

Currently, both SW1 and SW2 have static routes configured, but they are not redistributed. So I am going to redistribute the single static route using a route-map.

I am relatively new to BGP and I can't get my head around what is going to happen when I configure this. Assuming FW1 is active  then the connection between FW2 and SW2 is dead, and this would mean that the static route would not be redistributed by the "standby" SW2. I don't have an easy way to lab this up. Can someone provide some insight?

Thanks,
Steve
0
Comment
Question by:SteveJ
  • 3
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
bjove earned 500 total points
ID: 33538069
First you have to configure BGP. It is independent of the HSRP configuration toward the firewalls. Just enter static route for the network you want to announce with BGP on SW1 and SW2, and configure BGP. You should now have your network announced and default network learned from your ISPs.
Then configure HSRP on the network towards FWs. Enter default route on the FW pointing to virtual IP of the HSRP group.
Keep in mind that SW2 is "standby" only towards PIX, not towards ISP.
0
 
LVL 16

Author Comment

by:SteveJ
ID: 33538603
bjove,

Thanks for your comments. Actually, this isn't an internet facing pair of 6509s, this is part of a very large complex network. THe active / standby HSRP config that I mentioned ONLY has to do with this particular firewall. (There are appx 30 HSRP configs on this 6509). Also BGP is already configured and SW1 and SW2 are iBGP peers. My concern is configuring a static route on the standby HSRP for this particular subnet. I don't know the BGP behavior for redistributing a static route to an iBGP peer. I am looking for a very specific kind of answer because I don't have the time or luxury (this is a HA site and through circumstance there's no way to lab test this.) to do any testing. I will simply have to configure it and see what happens. Im not very comfortable with that. And it's a pair (FW1 and FW2) of Juniper SSG 520m, actually, not a pix.

Thanks,
Steve
0
 
LVL 4

Expert Comment

by:bjove
ID: 33539845
You can read in the atached document that this is recomended solution. See 'Single Site Multi Homing' Chapter. 4.
Data-Center-Networking.pdf
0
 
LVL 16

Author Closing Comment

by:SteveJ
ID: 33649530
Thanks for your comments. I was asking specifically what will happen when an active / passive HSRP pair both announce  (or if they would both announce) a static route. That question wasn't really answered, however, the link provided some food for thought.

Thanks. Hope you aren't offended by a B
0
 
LVL 4

Expert Comment

by:bjove
ID: 33649932
I'm glad if I helped. About concerns with HSRP – HSRP is important only for outbound traffic (from FW towards SW1 & SW2). For incoming traffic (SW1 & SW2 to PIX) it will be forwarded to PIX by the SW that received the traffic, no matter which SW is Active. So, if SW1 is Active, and both (SW1 and SW2) announce static route toward FW, then if SW2 receive some incoming traffic it will forward it to the FW.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now