Thursday, November 30, 2017

ASA HA BGP to a VRRP QFX

I'm wondering what the best way to create BGP Redundancy between a pair of QFX5100(Core Router( VRRP GATEWAY)) and A Cisco ASA HA Cluster ( I know nothing of ASA, and a client is configuring the ASA)

So from what I have read that ASA has an IP address on the Primary FW, and has a Secondary IP address on the Backup Firewall. The Primary Address and Secondary Address swap when the HA fails over.

I also have two QFX5100 as acting as a routing core(Gateway) running VRRP because it is the Gateway for all routes, and the ASA will connect the Gateway to the DIA( Direct Internet Access)

What would be the best way to pair them together?

If I have the ASA point to my VRRP IP address only one of my QFX BGP sessions will show up ( Active VRRP Router) This will cause the QFX (Backup VRRP Router) to create alerts because it BGP session will always be down until a failover.

However, if I do redundant BGP connection to each QFX5100 I'll have to create load balance or at least some local preference changes on the Cisco ASA. Also, it might affect my BGP peering unless I do Multichassis LAG

Is there anything I am not thinking of?



No comments:

Post a Comment