For a customer I need to extend the current single edge-router setup to a redundant one. The router used is and will be a Cisco ASR 1001-X with 16GB memory. The customer does eBGP for transit and iBGP for DMVPN, running on the same router. VRFs and NAT is used as well.
The picture below represents the current setup (left) and the planned setup (right).
https://i.imgur.com/GptS6Ek.png
IMO i do have 3 options:
1) run iBGP (AS12) between the ASR's and both ASR's will open a eBGP session to AS10 and AS11. this is probably the most robust/vendor neutral setup
2) run iBGP (AS12) between the ASR's, while each router only holds one eBGP session to one transit AS. therefore the left ASR may open an eBGP session to AS10, while the right one will open an eBGP session to AS11. (i don't see any real benefit in this setup currently, listing just for the sake of completeness)
3) use cisco stateful switchover (SSO) [1] on both ASRs. configure only one to be 'active' while the other router keeps in hot-standby mode. tbh i don't have any experience with cisco SSO yet. however i expect this setup to be more robust to human failures (changing configuration only on just 1 router) since the configuration should be synchronized by cisco and are configurable (more or less) as 'one' device.
currently i'm testing option 3 in a lab environment. if the config of the router would be more simple i'd probably opt for option 1, however with a bunch of different VRFs, DMVPN and NAT rules option 3 human failure may be a larger threat than a proprietary HA protocol.
My question is: do i miss something? should cisco SSO be used for such a scenario?
No comments:
Post a Comment