Solved

Multihomed Site Edge - Design Verification

Posted on 2013-06-24
10
853 Views
Last Modified: 2013-10-15
I need help in verifying the legitimacy of a design for a multihomed Internet-facing site.  I have attached a Layer 3 diagram that has four routers with red labels and a fault-tolerant ASA 5515 (two ASAs configured in failover).  I have also attached the relevant configuration for each device.  I need someone to verify that this design will work as expected.

I plan on having two ISPs that I will advertise my public /24 subnet to.  Each ISP will advertise only a default route into my AS.  I want to achieve fault tolerance at all levels and avoid routing loops and "black holes".  I present two optional sections in the configs that pertain to load balancing.  One option is to use the round robin load balancing feature in the ASA to balance between both outbound routes.  The other option, mentioned in the edge configs, uses the weighted GLBP load balancing, allowing for weights, simpler ASA operation, and the use of a single, virtual gateway IP.  I'm liking this design over the ASA load balancer method.  Any opinions on this decision?  I also plan on running iBGP between the edge routers.

If it needs more explaining, let me know.
Visio-L3-Diagram.pdf
E1.txt
E2.txt
I1.txt
I2.txt
ASA.txt
0
Comment
Question by:marrj
  • 5
  • 2
10 Comments
 
LVL 1

Author Comment

by:marrj
Comment Utility
I failed to mention that the two edge routers will be Cisco 2921 ISRs.
0
 
LVL 6

Accepted Solution

by:
pgstephan earned 500 total points
Comment Utility
Hi mate,

1) The BGP neighborship towards your ISP better not use your loopback as source IP address. Because that means your loopback will need to have a public IP address that is routable on the Internet, or even with a static route on your adjacent internet router at the provider. I would just delete the line of "update-source loopback" and just peer with your IP address on your outgoing WAN interface (as the source for the BGP neighborship).
2) You cannot really publish your public /24 range to the 2 internet service provider equally because you will run into an assymetric routing issue. What I would propose is to either run with an active/passive scenario between the 2 internet service providers where you will advertise the /24 to both providers but AS-Prepend on the secondary ISP you chose. The better solution will be to split the /24 into 2 /25 and advertise them to both providers and again play with AS-Prepend to make the 2 prefixes (one primary and the other secondary on each router) and so on.
The problem here will be that you will need to source nat on your routers instead of doing source based routing on your firewalls.
3) Now you need to chose a way forward to automate your failover between the 2 providers:
a) one way is to run an OSPF area behind the internet routers and with the firewall where you will redistribute the default route you receive from the carriers so the firewall will know which one to fail-to when it loose connectivity.
b) the alternative will be to use 2 HSRP groups on the LAN interface of the routers, which will track your BGP neighborship towards the service providers.
4) You need to configure an access-list on your WAN inbound interface on the routers to deny RFC 1918 prefixes + packets sourced from your public /24 range that you're advertising, and if you want to enable uRFP for antispoofing.
What you can also do is have the first line in your access-list to have a pin-hole access-list that allows communication between your service provider WAN ip address and your WAN address (only for TCP 179 (BGP). And deny ALL other traffic destined to your WAN interface to deny any DOS attack to your WAN router.
5) You may want to add a route-map on your BGP inbound to only receive a default-route from your carriers. If for any reason your internet service provider pushed you down the full internet routing table, and your routers may crash if they don't have enough RAM (each BGP peer requires 128MB RAM for the full table).
6) If you enable OSPF or another protocol between the routers and the firewall, you will not need the static route you configured between the peer for the iBGP neighborship.
7) You really need to think about the iBGP function in this scenario. You really may not need it if you will expect traffic to be active on 1 single ISP at any point in time. In this scenario you can use HSRP which will track the BGP neighborhood relationship, and will drop priority of your primary router once the BGP fails.
8) If you want to use load balancing on your outgoing firewall configuration, then you will certainly need to split the 2 /24 range into 2 and do source NATting on your outgoing interfaces according to the route the traffic will take. Otherwise you will be really able to load balance your outgoing traffic but you will certainly run into assymetric routing for the incoming traffic which is not really recommended especially if your clients have dual upstreams and have uRPF enabled.

I'm simulating the configuration I'm proposing and will post it here shortly.
0
 
LVL 1

Author Comment

by:marrj
Comment Utility
Thank you very much, pgstephan.  Here are my responses.

1. Ok, I have taken the loopbacks out of the neighborships with the ISP's.

2. I'm really not a huge fan of running NAT from my edge routers.  I think I will settle for a active/standby topology.  I do like the concept of splitting the /24 into two /25's, but I'm not sure I can sell it to my administration.  I like the idea of leveraging BGP prepend, but I'm reading some reports that claim it may not always work, depending on what your ISP will do with BGP path attributes like local pref.  What is your opinion on conditional advertisement?  https://learningnetwork.cisco.com/docs/DOC-11860   I like the concept, but I'm having trouble wrapping my mind around how it would work with two edge routers.

3. Since I've settled for an active/standby config, I'm more than happy leveraging HSRP with tracking for failover.

4. How would such an access list look?  
(Block all traffic to WAN interface except TCP 179)
#access-list 101 permit tcp 11.11.11.2 11.11.11.1 eq 179
#interface gi0/0
#ip access-group 101 in

5. I can handle a default-route-only route map.  Could I essentially do the same thing with a prefix list?
(Block all inbound BGP-learned prefixes except default route to avoid RAM overload)
#ip prefix-list only-default seq 5 permit 0.0.0.0/0
#neighbor 11.11.11.2 prefix-list only-default in

6. Do I still need OSPF since I've settled for an active/standby?  I'd rather not complicate things if I don't have to.

7. Ok.  Makes sense.

8. I think I like the looks of active/standby and simplifying things with HSRP.  My main question at this point is how do I keep my prefix from being advertised to the standby ISP.

Once again, thank you very much for your input.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:marrj
Comment Utility
http://www.remiphilippe.fr/2010/04/05/bgp-conditional-advertisement/

What do you thing about this guy's setup for two edge routers?
0
 
LVL 6

Expert Comment

by:pgstephan
Comment Utility
2. You're right AS-Prepend doesn't always work, because it really depends on your upstream providers. Instead of conditional advertisement, what you can also do is advertise to your primary provider 2 /25 blocks and a single /24 block to your secondary provider. That way the /25 will be always preferred over the /25 advertised by the secondary provider.
I had a bit of a read to your link about conditional advertisement, my problem with it is that you will only start advertising the prefix via BGP when you lose your primary connection. That's not quick enough, so I'd prefer the summary way (above).
You can also talk to  your secondary carrier, some carriers can apply a certain policy by which when you advertise them a prefix with a specific community, they would only advertise it when they lose receiving your prefix via the primary provider.
4. Here is what you can use:
access-list 101 permit tcp host 11.11.11.2 host 11.11.11.1 eq 179 log
access-list 101 permit tcp host 11.11.11.2 host eq 179 11.11.11.1 log
access-list 101 deny ip any host 11.11.11.1
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.31.255.255 any
access-list 101 permit ip any any

In the first couple of lines in the access-list, apply it for a couple of second and see how the BGP session is flowing then delete the redundant line (reason being is that the BGP session between the 2 neighbors may start from your router or your carrier's) (and delete the log from the line too).

5. Yes
6. No
0
 
LVL 1

Author Comment

by:marrj
Comment Utility
I'm curious now that you mentioned that conditional advertising may not be fast enough.  About how long does it take to propagate a prefix with BGP?

I'm going to research BGP communities now.
0
 
LVL 1

Author Comment

by:marrj
Comment Utility
I've attached revised configs for both E1 and E2, with changes per your recommendations.  I have decided to change from load sharing to active/standby with E1 and ISP1 being the active route.  I'm going to ask my ISPs about their use of local pref and BGP communities in their AS.  I hope to get by with as-prepend.

Would you mind taking a look at the new configs to make sure I'm still on the right track?

Thank you.
E1.txt
E2.txt
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now