Hi,
I'm about to implement dual AWS direct connects, both public and private VIFs and am looking to get some feedback on a couple of options for establishing the BGP sessions to AWS.
Currently have a pair of ASA5525-X Active/Standby and Nexus 3548 acting as the "core". The nexus pair are setup in VPC configuration to the ASA's and for the most part, VLANs are trunked to the ASAs which are acting as the default gateways. I have some EIGRP routing on the nexus for a few routes between our DC's.
Basically what I'm trying to achieve is have our dual direct connects as our primary paths to our VPC's and if they're both down, route via VPN to the VPC.
ASA's are running 9.8.x and Nexus switches are running 6.0(2)A8, so layer3 peer-router is supported: https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/118997-technote-nexus-00.html.
High level topology: https://imgur.com/a/vCOmIPh
Question is, where to establish the BGP sessions.
Option 1: - Private VIFs. Create a VRF for these VIFs and a establish a BGP session on each Nexus switch, create a HSPR address on the Nexus and point a static route on the ASA's to the HSRP address - Public VIFs. Separate VRF for these VIFs and establish a BGP session on each Nexus switch. Establish dynamic routing between the Nexus and the ASA and redistribute the public routes to the ASA.
Option 2: Instead of having the BGP sessions on the Nexus switches, trunk vlans up to the ASAs for the public and private VIFs and establish the BGP sessions from there.
I'm leaning towards option 2 as it simplifies things a bit, in that I can more easily configure my primary and my backup paths from a single device.
The only thing that concerns me is how the dynamic routing will be handled during a failover event on the ASAs. I did a bit of searching, but only found documentation relating to older code bases. Basically, routes are synchronised between the active and standby, but the adjacency between neighbours needs to be re-established. If this adjacency happens within 15 seconds, there is a "brief" interruption, but if it takes longer, connections are dropped. Is this still the case in the 9.8.x series, or has it been improved?
Is there an option 3 I'm missing that someone could suggest? Traffic to the VPC over the private VIF is the most important, so the other option I thought could be a possibility is a combination of both. BGP for the private VIFs on the nexus with HSRP, and static route on the ASA, then trunk vlans to the ASA for the public VIFs and run BGP on the ASA.
Any feedback would be much appreciated. Thanks :)
No comments:
Post a Comment