Friday, August 17, 2018

Dual-homed BGP, ISPs in different cities

Sorry, lot's of stuff in the pic but it's a complicated question I think...

In short, how to avoid asymmetric routing on firewalls: https://i.snag.gy/chzf04.jpg

We have two ISPs connected to our network in two cities separated by few hundred kilometers. 1Gbps, full BGP table each. We have two /24 we can advertise (those are documentation blocks, IRL we have larger blocks we can split). Some of our servers are on public IPs, some on private (we have private peerings with private IP addresses to some of our customers)

Currently we have single homed internet connectivity, and we'd like to make it dual-homed. However routing traffic back via the right firewall cluster seems to be the problem here. We wouldn't like to have asymmetric routing. We have 2 firewalls in each city towards ISPs, making it 2 fw clusters.

Simple solution here is to NAT everything coming to firewall 1 to a source IP from 198.51.100.0/24 block so the return traffic would get to the right firewall. And everything coming to firewall 2 would get NAT'd to something from 203.0.113.0/24. In that way no matter what link/fw is broken, there wouldn't be asymmetric routing as that block would only be originated from a single firewall. And towards ISPs, we could AS prepend the networks so that 198 would be preferred via ISP1 and 203 via ISP2.

Routers on the right would have to somehow decide which default route to use, or we could just leave it for the OSPF/BGP to decide... though as it's only a VRF called "core" between those, all the routers on the left are 1 hop away so every router on the right would choose the same router for the default route.

Not sure if this would be a problem at all, but it would be nice to have networks in the south to use the ISP in the south :)

Without the NAT hack how would we achieve this? I'm thinking of using communities, and on the right hand side routers tagging every route with either "prefer ISP1" or "prefer ISP2" depending on the location and then left hand side routers/firewalls doing local pref tuning based on communities. Our firewalls talk BGP.

OK it wasn't short but hopefully there are people who don't have anything better to do on friday evenings :)



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)