New BGP Router Sizing

Our company is in the process of setting up redundant ISP connections with BGP routing and I need help deciding which Cisco router model is powerful enough to handle the task.

FYI, I’m not a dedicated networking guy – I’m just the person that’s done it the most, and so am elected by default.  I’ve been managing our ISP connections for many years, but BGP is a totally new to me.

We’re a small software consulting company with about 20 users.  We do a lot of work over the Internet supporting our clients via VPN, remote desktop, etc., and also have a small (but hopefully growing) business hosting apps at our site.  After some recent episodes where our ISP connection was down, we decided to get a second ISP connection.  I’ve also been setting up a redundant switch layout on our LAN, using spanning tree, so as to eliminate as many single points of failure as possible.

Currently, we have two bonded T1s for 3Mbps of bandwidth.  This is normally enough bandwidth for our needs.  It only starts bogging down if someone fires up a large software download or something during the work day.  The new ISP is to be a 10Mbps fiber connection.

We’re using a Cisco ASA 5505 as our firewall.  As an indication of our typical traffic load, this firewall seldom gets over 10% CPU usage.  Traffic generally runs about 1 – 2 Mbps usage during the day.

My tentative plans call for a pair of Cisco 2901 routers in a HSRP failover configuration, each with 2GB of RAM.

Are the 2901 routers likely to handle BGP routing in this scenario, with some room for growth?

Secondly, we have a second ASA 5505 that I planned to set up in a failover configuration with the first.  However, I’ve recently discovered that the 5505 doesn’t support STP, making my redundant switch plans unworkable.

Other than buy a pair of ASA 5510s, one option to address this issue is to use the firewall capabilities of the Cisco routers rather than using separate firewalls.  I’m attracted to this idea, not only to save in hardware costs, but to simplify our setup by eliminating two pieces of equipment.  I just don’t know how practical it is in our situation.

In researching this, the two major two objections I’ve read are 1) you should separate the routing and firewall functions to keep configuration errors in the one from affecting the other, and 2) the extra demand of enforcing firewall rules may be too much for a BGP router.  As for the first objection, I understand the advice, but am not sure whether this overrides the advantage of simplifying our setup.

As for the performance objection, I’m finding it hard to believe that the new 2901 routers would choke on a set of firewall rules that the little ASA 5505 handles with 10% CPU usage.  It seems to me that if that extra task pushes the router over the line, it doesn’t have enough horsepower for BGP routing to begin with.

One wrinkle is that currently, the only VPN connection to the firewall is a single site-to-site IPSec connection.  There are plans to expand this to about 5 for so.

Any advice would be greatly appreciated.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John MeggersNetwork ArchitectCommented:
For clarification, when you say "redundant ISP connections with BGP routing" do you mean you will be using two ISPs and you want to use BGP to optimally route what traffic should go to which ISP?  If that's the case, then you need to run a full Internet routing table in your router and a 2901 is NOT going to be powerful enough.  If you're just using the routers to dual-connect and you will advertise your internal networks to each ISP, and use what I'll characterize as "load sharing" between the ISPs, then a 2901 should be enough for you.  Running BGP on a router is not necessarily a resource hog, but in your case I would strongly suggest limiting the BGP routes received from the ISP to only a default route.

There's a lot of nuances in your other question.  My take is IOS firewall (or zone-based firewall) has gotten a lot better in recent years, but it's still not quite the same as running a stateful, dedicated hardware firewall.  I don't have much experience with performance of the 2901 so I don't feel qualified to comment on that aspect.  My gut feeling is ZBF is a lot more resource intensive than running BGP with a limited routing table.  I also suspect there are things the 5505 does in hardware that the 2900 may not, which could mean your assumption about ASA performance and its implications for the 2901 may be wrong.  It's  also possible there are "gotchas" in running ZBF in conjunction with HSRP that may make that a poor choice to begin with, so I would definitely investigate that to make sure you aren't setting yourself up for failure.

I think for me, I would not be inclined to not put all of that functionality (BGP routing, ZBF, HSRP) on a 2901.  I would expect BGP with a limited routing table and HSRP would be OK together, but I would be leery of adding the overhead of ZBF on that platform and expecting it to perform as you need it.  At least not without some lab testing to determine what kind of performance you could expect.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
We have 2xT1 and are looking to expand to a fiber drop too.  But, both ISPs want us to use our own router with full tables...they (of course) won't provide equipment to support another ISP.  The fiber ISP recommended a used Cisco dealer that would reduce the costs from $30K+ down to half or perhaps less.  That was still a big chunk of change, so looking at alternatives.

Due to the costs of devices that can handle full routing tables, we're looking at Vyatta.  There is a free community edition of their software you can install on your own re-purposed x86 hardware.  Or, you can buy the commercial software, or their own hardware.  Base router is 6-port, and comes in very cheap...about the cost of a new 1u server with a 4-port NIC.

The consensus is that a core-i3 is more than enough power.  I might be able to do it with an older P4 and 2GB of RAM, since we are not a high-bandwidth data center.  The heaviest traffic is user surfing, and an off-site backup project that is single address...not a whole lot of routing going on.  Just passing the packets through.
TerryMottAuthor Commented:
Thanks for the reply.

By "redundant ISP connections with BGP routing", I meant a full Internet routing table.  That's not a strict requirement, mind you -- it's what I found instructions for setting up in the routing book I have, so that's the direction I headed down.

Sounds like full BGP routing may be overkill for our needs, which boil down to 1) transparent Internet access in and out when either connection is down, and 2) use the new 10Mbps connection in preference to the 3Mbps one.  I guess I could do this with static default routes giving the fiber connection a lower cost so all outbound traffic goes that way unless it's down, but I'd like to see both pipes be used to some degree if feasible.

When you write "load sharing", is that a configuration where the router sends some traffic through each ISP, not based on actual ASN hops in the routing table, but via round-robin or somesuch approach?  Can it be biased to semi-load-balance the two ISPs (so more traffic goes down the 10Mbps connection)?

I take your point about the 5505 maybe doing some things in hardware.  I hadn't considered that.

Thanks again.
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

TerryMottAuthor Commented:

Thanks for the pointer.  I'd heard of Vyatta, but haven't done much research.  I'll look into them further.
The theory is that dedicated iron (and ASICS) can do a faster job than software+CPU, especially when it comes to DDoS or constant high numbers of connections.  The 5500 series was suggested for full routing tables, but the acquisition costs are 10x of what I have mentally budgeted.
TerryMottAuthor Commented:
Ok, guys, I've been boning up on BGP partial and default routes, and think I have at least a partial (heh) handle on things.

Assuming I stay with Cisco routers, and abandon the ZBF idea, what current model router would be the minimum recommended model to, say, load BGP routes for only my ISPs and their immediate customers (my peers and their peers)?  Should a 2901 handle that?  If not, how about a 2911 or 2921?

How much RAM is recommended for this scenario?

Thanks again.
TerryMottAuthor Commented:
As an aside re: the firewall issue, I've been digging into the documentation on the ASA 5505 failover configuration.  If I'm reading and understanding it correctly, it seems like I can get around the lack of STP support in the 5505 by a judicious use of interface monitoring.

If I connect the 5505s each to a different switch in my redundant switch pair and monitor those interfaces as part of the failover configuration, if the switch having the primary ASA connected to it dies, the firewalls should fail over to the backup ASA, skirting around the failed switch.  I'd need to do this for the redundant switches in both the internal and DMZ zones.

Anyone see any problems with this plan?  Am I at least in the ballpark (go Rangers) of a plan here?
i think you have no reason to exchange full BGP updates with your ISP, you just need to send to ISP your prefixes and receive from ISP a default route. You can acomplish all this things with 2 routers 1900 ( running iBGP between them ). I supose that you have a main connection, and a backup one, and you don't want to load balance between them.
TerryMottAuthor Commented:
I'm closing this out, since it's getting no input.  jmeggers' post helped me understand things better, but I still have as many questions as answers.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.