First, I've been a junior network admin for a few years and recently the senior engineers left leaving me with a lot more responsibility. This is really my first deep dive into BGP design, so I very much appreciate any feedback.
Problem: We have two circuits to two ISPs. Currently we filter all but the default route and announce our /24 prefix from each. We run HSRP on the internal interfaces, and fail-over by shutting down the BGP session on the primary router, shutting down the internal interface so HSRP switches us over, and bringing up the session on the backup. This is manual, slow (typically an hour+ in practice), and just generally shitty.
Proposed solution: To make use of both circuits and have fail-over be faster and more automatic I want to accept the full route tables from each ISP, announce our prefix to both at the same time, and run an iBGP session between the two routers.
Here's a diagram.
Is this a reasonable approach to solving the problem?
Question: What is the best way to do the routing on the firewall? Ideally it would send traffic to some destinations via RT-1 and others via RT-2, right? Options I've thought of:
- Remove HSRP and run BGP on the firewall with an iBGP session to each router. I would prefer not to do this because I don't manage the firewall and the firewall admin has pushed back against having routing protocols running on there. He's a fan of static routes.
- Leave HSRP and let IP redirects send flows to the correct router. Is this a reasonable option?
- Any other ways I'm not thinking of?
Proposed BGP config:
On RT-1
router bgp 3333 neighbor 1.1.1.1 remote-as 1111 neighbor 1.1.1.1 update-source Gi0/1 neighbor 3.3.3.3 remote-as 3333 neighbor 3.3.3.3 update-source Gi0/0 address-family ipv4 network 3.3.3.0 mask 255.255.255.0 neighbor 1.1.1.1 activate neighbor 1.1.1.1 route-map IN_FROM_ISP in neighbor 1.1.1.1 route-map OUT_TO_ISP out
On RT-2
router bgp 3333 neighbor 2.2.2.1 remote-as 2222 neighbor 2.2.2.1 update-source Gi0/1 neighbor 3.3.3.2 remote-as 3333 neighbor 3.3.3.2 update-source Gi0/0 address-family ipv4 network 3.3.3.0 mask 255.255.255.0 neighbor 2.2.2.1 activate neighbor 3.3.3.2 activate neighbor 2.2.2.1 route-map IN_FROM_ISP in neighbor 2.2.2.1 route-map OUT_TO_ISP out
Route maps on both routers
route-map IN_FROM_ISP permit 10 match ip address prefix-list ALL_NETS route-map OUT_TO_ISP permit 10 match ip address prefix-list OUR_PREFIX route-map OUT_TO_ISP deny 20 match ip address prefix-list ALL_NETS ip prefix-list ALL_NETS seq 10 permit 0.0.0.0/0 le 24 ip prefix-list OUR_PREFIX seq 10 permit 3.3.3.0/24
Edit: Typo
No comments:
Post a Comment