ISP BGP peering with HSRP for redundancy

Similar Messages

• BGP peering with ISP

  Hello Guys
  I have a scenario where I would like to have your insights.
  1. Client having Main site and DR site connected to same ISP with public IP line.
  2. The client has acquired a public IP block (/24) and would like to use same on both main and DR sites.
  Would this be possible through BGP? How can we advertise the same IP block on 2 sites?
  The sites need to be in an active-active scenario.
  Thanks

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  If you're going to advertize the same address block, from two different BGP peers, whether to the same ISP or different ISPs, the expectation is, you can get to or from that address block along either path.  I.e. you need an "internal" path between your two BGP peers.  Otherwise, the "critical" BGP path fails, you continue to advertize an address block that's unreachable.
  There's no need to split your block unless you were trying to manually load balance using your two paths.
  As another poster noted, you might have asymmetrical routing (depending on path costing), but from a pure L3 perspective it doesn't matter.  It can, though, matter to stateful devices like firewalls.  The latter might be addressed by firewalls at both sites sharing state information.

• BGP peers with same AS number

  Hi All,
  As in the network topology attached (replica of actual network), I would like to know if there is any way that routes received from PE-RTR1 in CE-RTR can be advertised to PE-RTR2 and vice versa, so that PE-RTR1 & PE-RTR2 can reach each other.
  Routing protocol used between PE-RTR1 & CE and PE-RTR2 & CE is BGP.
  The issue seems to be due to same AS number of PE-RTR1 & PE-RTR2. It might not be possible to change AS numbers defined. Is there any way to overcome this situation?
  Thanks in advance..
  Regards,
  Nagabhushan

  I read that a bit too quickly.
  If you're connecting your locations via the ISP and they all use the same AS, they'll all need the statement I mentioned in my previous comment. If you already have communication between them via the ISP, then this command is probably already there.
  If you're connecting everything via fibre to the primary location, you can just peer with the other locations using the same AS and you'll be fine... though there are some considerations if you're redistributing BGP into an internal routing protocol.
  In your current configuration, is each location seeing the networks from the other sites propagating from the ISP via BGP?

• IPS4240 in bypassmode-auto cause BGP peering failure

  Recently installed IPS4240's running inline. With "bypass-mode auto" the BGP peering (with password) between 2 routers either side of the IPS unit drops. The error logs indicate bad MD5 hash on both units. In "bypass-mode on" BGP peering with password is fine.
  Anyone know a fix or the cause?

  This is probably being dropped or modified by some of the "normalizer" engine signatures in the IPS. Basically the IPS in inline mode does a lot of TCP checks and drops or modifies packets with certain bits set. It probably doesn't like the fact the MD5 hash is set as TCP option bit 19 and is modifying it somehow, which then fails your authentication on the remote peer.
  Go into whatever configuration tool you're using and enable the "produce-verbose-alert" on all the 13xx signatures (1300-1330). Then check your alerts for an alert with a victim/attacker IP addresses of your BGP routers, see what signature it was that actually fired, then disable that signature (or add a filter so that it doesn't fire for that IP address pair anymore). This will stop it doing whatever it is doing to your BGP packets and it should work from then on.
  It'll probably be one of the sub-sigs under 1330, as this does a lot of different checks on various parts of the TCP packet.

• Cisco BGP Peering Between 2 ISP

  Hi Cisco People,
  Just have a question with BGP peering in Cisco's. I have two ISP's which I am peering against for an active and standby configuration. I would like to know if there is a way to configure some sort of 'dead-peer detection' on the router to monitor a public IP address in the event of an ISP failure. I want to find a way to dynamically failover the link in the event of failure when losing pings to an external address.
  Regards
  Chris

  Chris
  Dead Peer Detection is one of the functions performed by BGP. If the peer goes dead then BGP will detect it and will withdraw routes learned from that peer from the routing table.
  What you describe about monitoring a public address is more about validating that the ISP routing logic is learning and advertising appropriate routes than it is about detecting if a peer has gone dead. I would think that this is possible - but a bit complex. I would think that you could configure IP SLA to track some public address (the tricky bit here is to make sure that you are tracking through ISP1 and not using ISP2 for this). Then you should be able to configure EEM to watch the track and if the route is lost to make appropriate changes in BGP to force the failover.
  HTH
  Rick

• HSRP For the Gateway Redundancy.

  Hi all
  i just need a simple how to configure 2 Routers(R1;R2) to run HSRP For the Gateway Redundancy ,if one of the 2 routers Fail.should i connect the 2 routers 2gather via cross cable.than one straight cable to the 2 separate distribution switch.(2 Etherchanel configured between Dist switch)PS LIST ur optimum Configuration
  Ur help very much Appreciated

  Hi,
  i think you talking about campus network where you have two distribution two access and two core router's.
  With that prospects.
  My suggesion will be to have etherchannel between distribution switches and both the distribution switch should be connected to both the core router.
  than use HSRP in distribution swithes.
  configuration and diagram is given below.
  do let us know if you want any more information.
  interface FastEthernet2
  ip address 172.69.90.1 255.255.255.0
  standby priority 200
  standby preempt
  standby ip 172.69.90.6
  interface FastEthernet3
  ip address 172.69.91.1 255.255.255.0
  standby priority 200
  standby preempt
  standby ip 172.69.91.6
  like the above configuration you can configure second switch also you can apply on vlan interface too.
  HTH

• Challenge: Spanning Tree Control Between 2 links from Switch DELL M6220 to 2 links towards 2 switches CISCO 3750 connected with an stack (behavior like one switch for redundancy)

  Hello,
  I have an Spanning tree problem when i conect  2 links from Switch DELL M6220 (there are blades to virtual machines too) to 2 links towards 2 switches CISCO 3750 connected with an stack (behavior  like one switch  for redundancy, with one IP of management)
  In dell virtual machine is Spanning tree rapid stp, and in 3750 is Spanning tree mode pvst, cisco says that this is not important, only is longer time to create the tree.
   I dont know but do you like this solutions i want to try on sunday?:
   Could Spanning tree needs to work to send one native vlan to negociate the bdpus? switchport trunk native vlan 250
  Is it better to put spanning-tree guard root in both 3750 in the ports to mitigate DELL to be root in Spanning Tree?
  Is it better to put spanning- tree port-priority in the ports of Swicht Dell?
  ¿could you help me to control the root? ¿Do you think its better another solution? thanks!
   CONFIG WITH PROBLEM
  ======================
  3750: (the 2 ports are of 2 switches 3750s conected with a stack cable, in a show run you can see this)
  interface GigabitEthernet2/0/28
   description VIRTUAL SNMP2
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 4,13,88,250
   switchport mode trunk
   switchport nonegotiate
   logging event trunk-status
   shutdown
  interface GigabitEthernet1/0/43
   description VIRTUAL SNMP1
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 4,13,88,250
   switchport mode trunk
   switchport nonegotiate
   shutdown
  DELL M6220: (its only one swith)
  interface Gi3/0/19
  switchport mode trunk
  switchport trunk allowed vlan 4,13,88,250
  exit
  interface Gi4/0/19
  switchport mode trunk
  switchport trunk allowed vlan 4,13,88,250
  exit

  F.Y.I for catylyst heroes - here is the equivalent config for SG-300 - Vlan1 is required on the allowed list on the catylyst side (3xxx/4xxx/6xxx)
  In this example:
  VLANS - Voice on 188, data on 57, management on 56.
  conf t
  hostname XXX-VOICE-SWXX
  no passwords complexity enable
  username xxxx priv 15 password XXXXX
  enable password xxxxxx
  ip ssh server
  ip telnet server
  crypto key generate rsa
  macro auto disabled
  voice vlan state auto-enabled !(otherwise one switch controls your voice vlan….)
  vlan 56,57,188
  voice vlan id 188
  int vlan 56
  ip address 10.230.56.12 255.255.255.0
  int vlan1
  no ip add dhcp
  ip default-gateway 10.230.56.1
  interface range GE1 - 2
  switchport mode trunk
  channel-group 1 mode auto
  int range fa1 - 24
  switchport mode trunk
  switchport trunk allowed vlan add 188
  switchport trunk native vlan 57
  qos advanced
  qos advanced ports-trusted
  exit
  int Po1
  switchport trunk allowed vlan add 56,57,188
  switchport trunk native vlan 1
  do sh interfaces switchport po1
  !CATYLYST SIDE
  !Must Explicitly allow VLan1, this is not normal for catalysts - or spanning tree will not work ! Even though it’s the native vlan on both sides.
  interface Port-channel1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,56,57,189
  switchport mode trunk

• EBGP design with HSRP

  We are investigating to enhance our datacenter availability and would request an AS from our RIR (RIPE) with PI address space. At the moment we have internet access in one facility in Brussels but are expanding to another facility in the Netherlands where a backup ISP connection would be connected.
  We know we will need to speak eBGP to both ISPs to be able to failover our IP block if the primary ISP connection would go down. At the facility in Brussels we have a Active/Passive setup with our ISP consisting of a pair of Juniper firewalls on our behalf and Cisco routers on the ISP side with HSRP and static routing. We will replace the Juniper firewalls with a pair of Cisco ISR 4451-X routers which would be configured for the BGP session. In the Netherlands the backup ISP connection will be serviced by a Cisco 3925.
  Now the question is regarding the redundant L2 setup at the Brussels facility. I know it's not possible to use a HSRP virtual IP as the BGP neighbor address, so am I correct to say the only way of implementing BGP and maintaining the redundancy at the Brussels facility would be to establish a mesh of BGP sessions between our routers and the two ISP routers?

  Hi Bert,
  the easiest thing is configure two eBGP session: one between primaries router (you primary and ISP primary) and one between secondaries routers, PLUS an iBGP session between your router. This way, in case of a link failure, your primary router is stil able to route packet forwarding them to the secondary router (it could be useful because depending on the type of WAN your are using, router's WAN interfcae can be up/up alsowhen end to end connectivity is lost. In that case HSRP doesn0t change the active router).   
  Bye,
  enrico.
  PS please rate if useful

• BGP peering via default route

  I read http://blog.ipexpert.com/2010/11/08/bgp-peering-and-default-routes/ and understood that BGP speaker will not initiate BGP connection with the other BGP router if it can reach it via default route only...And BGP peering will not come up at all if both the BGP speakers know each other via default routes only....I could not understand the reason behind this though...Could any expert help me in understanding the underlying reasoning?

  I can't think of a reason why you would want to peer with a router you don't have a route for. If you're relying on a default route for a multi-hop bgp peer session, it could cause the session to be unreliable due to changes in the network down the line from you. An unreliable bgp session would be bad on the router's cpu/memory if the session were to flap.

• Peering with AS larger than 65535

  Hi,
  Have an oldish 7200-G2 in the lab that I need to setup with test peering with an AS larger than 65535 - It does not accept asdot notation (i.e. throws an error when I enter the converted AS - It doesnt like the ".").
  Is there any work-around to this? (Aside from IOS upgrade)
  Cheers.

  Hello John,
  if your objective is to test an eBGP peering with a 32 bit AS peer and the C7200-G2 has to play that role you need an IOS upgrade.
  Releases 12.0(32)S11, 12.0(33)S, 12.0(32)SY
  Cisco 7200 Series 
  to build an EBGP session between the C7200 and another 32bit AS capable device there is a special 16 bit AS number for backward compatibility.
   newly reserved AS TRANS# 23456 for interoperability between 4-byte ASN capable and non-capable BGP speakers
  see
  http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/border-gateway-protocol-bgp/data_sheet_C78-521821.html
  Hope to help
  Giuseppe

• ASA mode selection with HSRP in L2/3 GW

  hi all
  as attached I need configure redundant L2/3 gateway with single ASA in DMZ's downstream. and in DMZ's upstream also has an ASA.
  luckily there only has single DMZ switch need to be connected to both of ASA...
  I'm plan to use routed port in L2/3 gateway and HSRP for guarantee it's redundancy(under the gateway has serveral different subnet. but not apper in attached picture). and I have to use static routing protocol in L2/3 gateway, if needed. and use port's redundanc feature in ASA.
  here is my question:
  1. From above perspective what is the better mode for ASA, routed-mode OR transparent mode?
  2. if I've choieced to use routed-mode with single context, then do i have to configure dynamic routing protocol in both ASA? if possible, i want use static routing in downstream's ASA. and if i want pass through multicast in ASA, does routed-mode support this?
  thanks
  Taixing

  hi all
  as attached I need configure redundant L2/3 gateway with single ASA in DMZ's downstream. and in DMZ's upstream also has an ASA.
  luckily there only has single DMZ switch need to be connected to both of ASA...
  I'm plan to use routed port in L2/3 gateway and HSRP for guarantee it's redundancy(under the gateway has serveral different subnet. but not apper in attached picture). and I have to use static routing protocol in L2/3 gateway, if needed. and use port's redundanc feature in ASA.
  here is my question:
  1. From above perspective what is the better mode for ASA, routed-mode OR transparent mode?
  2. if I've choieced to use routed-mode with single context, then do i have to configure dynamic routing protocol in both ASA? if possible, i want use static routing in downstream's ASA. and if i want pass through multicast in ASA, does routed-mode support this?
  thanks
  Taixing

• HSRP Vs redundant Sup

  Folks,
  We have 6500's at the edge, distribution and at the core. We only have a single sup in the switches. We are doing HSRP at the distribution and the core. My question is that are there in good documents on CCO that talk about the advantages of redundant sup over HSRP? How can i convince my mananagement that they should buy redundant Sup rather than depending on HSRP.

  Hello,
  basically at the edge you loose the service completely (or partially, if there are backup connections in place) if the switch goes down.
  In the end you have to decide, what is cheaper, a redundant sup or a violation of your SLA and angry customers potentially willing to change to another SP. This is no technical decision, but a financial or political one.
  In general HSRP and redundant sups are all backup solutions. To justify the cost for redundant sups you would have to calculate the downtime (HSRP timers and MAC learning, etc. vs. switchover time) and compare the loss arising from downtime. Also take into account application needs. F.e. voip calls will be terminated by the users if there is a couple of seconds silence.
  This might or might not be an argument for redundant sups.
  In my opinion only a business case can give a good argument to justify the redundancy options.
  To give an analogy: does everyone have a second car just in case the first breaks down? No, but there are backups, which usually are sufficient, like taking the bus. In case you are a taxi driver, things look different and you might need a "fast replacement contract" with your car dealer. In case you are Michael Schumacher and driving a Ferrari formula one car, the loss through an image damage for Ferrari justifies a second car (and an expensive one!).
  Hope this helps! Please rate all posts.
  Regards, Martin

• Design for redundancy of access switch

  hello all,
  I have the following design for a site:
  Provider delivers channel with HSRP redundant routers, but access level in not redundant and represented by one switch.
  Am I correct that there is no way no provide redundancy on access level only with access switches or there are any design proposals?!

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  As Reza describes, many hosts only have a single connection to network, so that single connection is always a possible point of failure.  But there's a couple of things you can do to minimize the impact of a network infrastructure device failure.
  When working with small appliance type switches, you might have multiple smaller switches rather than one large switch.  For example, instead of having one 48 port switch, you might have two 24 ports switches, or six 8 port switches, etc..  If a switch fails, not all hosts lose connectivity.
  You can also have additional ports, ideally enough to handle lost of any one unit of hardware,  So, for example, if you have seven 8 port switches, when you only need 48 ports, if a switch fails, you only lose 1/7 of your hosts until they can be repatched into available ports on the other switches.
  If some of your hosts have multiple NICs, then there are various method to use the two NICs to avoid a single network unit failure from dropping the host.  Usually only shared servers merit that level of redundancy.

• Possible to use HSRP for ipv4 and ipv6 on Catalyst c3750x-48-TE ?

  I have the newest IOS 15.2 on my two Switches.
  I know that this cofiguration with IOS 12.x not work

  I think HSRP for IPv6 is supported from 12.2(46)SE. So you should be able to configure it in 15.x
  -Nagendra

• Does CISCO C3560X VLAN support multiple Network segments which are further configured with HSRP function

  Hi Cisco experts,
      My name is Kumagai and I need your expert opinions below.
  I am trying to configure one VLAN1 support multiple network segments as below.
  (this should be a very straight forward configuration and should be OK, I think ? )
   interface Vlan1
   ip address 172.30.0.0 255.255.128.0
   ip address 172.30.31.253 255.255.254.0 secondary
   ip address 172.30.61.253 255.255.254.0 secondary
   ip address 172.30.71.253 255.255.254.0 secondary
   ip address 172.30.4.253 255.255.255.0 secondary
   The only issue that is eating me is the above network segments are using HSRP too
   and I am not sure is this possible with a combination of VLAN1 supporting multiples which are
   further supported with HSRP settings in Cisco environment.
  !example of HSRP:
  interface Vlan4
   ip address 172.30.4.253 255.255.255.0
   no ip redirects
   standby 4 ip 172.30.4.254
   standby 4 priority 105
   standby 4 preempt
  <<< what will happen if I add the HSRP configuration as below into the above VLAN1 with multiple Network segment ??)
   I would like to summarize my "Combined" configurations as below but I need your expert opinions on
   whether the configuration below is workable without any problem ??
   Or it is a total flop because Cisco does not support the configuration below !!!
   interface Vlan1
   ip address 172.30.0.0 255.255.128.0
   ip address 172.30.31.253 255.255.254.0 secondary
   ip address 172.30.61.253 255.255.254.0 secondary
   ip address 172.30.71.253 255.255.254.0 secondary
   ip address 172.30.4.253 255.255.255.0  secondary
   standby 30 ip 172.30.31.254
   standby 30 priority 105
   standby 30 preempt
   standby 60 ip 172.30.61.254
   standby 60 priority 105
   standby 60 preempt
   standby 70 ip 172.30.71.254
   standby 70 priority 105
   standby 70 preempt
   standby  4 ip 172.30.4.254
   standby  4 priority 105
   standby  4 preempt
  Thanking you in advance !!!!!

  Hi,
  As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
  int vlan 20
  ip helper-address 192.168.33.xxx
  int vlan 60
  ip helper-address 130.20.1.xxx
  I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
  Modify the AP config as below since you are using data vlan as the native vlan
  interface Dot11Radio0.20
  encapsulation dot1Q 20 native
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface FastEthernet0.60
  encapsulation dot1Q 60
  no ip route-cache
  bridge-group 60
  no bridge-group 60 source-learning
  bridge-group 60 spanning-disabled
  Hope this helps.
  Regards
  Najaf